Page 1
TechnologySolutionGuideDeployingAscomi62withArubaNetworksrsquo
SecureMobilitySolution
Ascom i62 Handset and OEM derivatives Software version 528 Aruba 6003000600070007200 Mobility Controllers AOS version 6420 Aruba AP‐9293103104105114 115124125134135204205 214215224225275 September 15th 2014
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 1
WARRANTY DISCLAIMER
THE FOLLOWING DOCUMENT AND THE INFORMATION CONTAINED HEREIN IS PROVIDED ON
AN AS IS BASIS ARUBA MAKES NO REPRESENTATIONS WARRANTIES CONDITIONS OR
GUARANTEES AS TO THE USEFULNESS QUALITY SUITABILITY TRUTH ACCURACY OR
COMPLETENESS OF THISDOCUMENT AND THE INFORMATION CONTAINED IN THIS DOCUMENT
DISCLAIMER OF LIABILITY
Aruba Networks Inc disclaims liability for any personal injury property or other damages of
any nature whatsoever whether special indirect consequential or compensatory directly or
indirectly resulting from the certification program or the acts or omissions of any company or
technology that has been certified by Aruba Networks
Certification does not mean that the company is a subcontractor or under the technical control
or direction of Aruba Networks In conducting the certification program Aruba Networks is not
undertaking to render professional or other services for or on behalf of any person or entity
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 2
TableofContentsIntroduction 3
Solution Components 3
Aruba Campus WLAN Solution 3
Ascom Solution 4
ArubaEdge Solution Qualification 6
Qualification Objective 6
Network Topology 6
Test Methodology 8
Summary Test Results 8
Know Limitations 10
Conclusion 10
Appendix 1 11
General settings (SSID Radio and QoS) 11
Encryption and Authentication Settings 14
Ascom i62 Setting Summary 17
APPENDIX B 19
Test Summary 19
Aruba Test Configuration File 20
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 3
IntroductionThis document describes the steps and guidelines necessary to configure Arubarsquos wireless LAN (AOS
version 6420) infrastructure to work interoperable with Ascomrsquos i62 handsets
The guide is intended to be used in conjunction with Aruba and Ascom configuration guides Please
contact the respective companyrsquos sales engineering or support groups should additional information be
required
Solution Verified Ascom Phones
Aruba Product Aruba Campus WLAN Solution OS version 64xx
Partner Solution Tested Ascom i62 Handset Software version 528
SolutionComponents
ArubaCampusWLANSolutionSecure and reliable mobility is the responsibility of the enterprise network which must support a wide
range of converged clients over wireless wired and remote access networks Laptops and smartphones
are capable of simultaneously running voice data and now video applications an operating model that
breaks traditional dedicated VLAN and SSID architectures Delivering the quality of service (QoS)
bandwidth and management tools necessary to accommodate these devices on a grand scale ndash within a
campus environment to users on the road and in branch offices ndash requires a specially tailored system
design
Arubarsquos unique application and device fingerprinting enable the system to detect the types of traffic
flows and the devices from which they originate The network can then be dynamically conditioned to
deliver QoS ‐ on an application‐by‐application device‐by‐device basis ‐ as needed to ensure highly
reliable application delivery Arubarsquos integrated policy enforcement firewall isolates applications from
one another to essentially create multiple dedicated virtual networks and then allocates the necessary
bandwidth for each user and application
To ensure reliable application delivery in changing RF environments Arubarsquos Adaptive Radio
Management (ARM) technology forces client devices to shift away from the noisy 24GHz band to the
quieter 5GHz band adjusts radio power levels to blanket coverage areas load balance by shifting clients
between access points and even allocates airtime based on the capabilities of each client device The
result is a superb user experience without any user involvement
These services are complemented by security systems that ensure the integrity of the network Rogue
detection wireless intrusion and prevention access control remote site VPN content security scanning
end‐to‐end data encryption and other services protect the network and users at all times
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 4
Arubarsquos extensive portfolio of campus branchteleworker and mobile solutions simplify operations and
secure access to unified communications applications and services ‐ regardless of the users device
location or network This dramatically improves productivity lowering capital and operational costs
while providing a superior uninterrupted user experience
AscomSolution
The Ascom i62 offers a sophisticated telephony messaging and alarm solution for enterprise business
based on Wi‐Fi technology By offering Voice Over Wi‐Fi only one network needs to be installed and
maintained for all applications including Internet access e‐mail voice and other business related
applications
The latest 80211n and 80211ac standards provide the benefits of higher throughput and longer range
increasing the ability to integrate with other systems and build efficient applications With the new
generation networks and handsets the capacity and versatility outperforms any other on‐site wireless
technology
The Ascom i62 offers a unique management tool with central management concept enabling remote
management and SW upgrades of the handsets over the air
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 5
Certified Product Summary
Manufacturer Ascom Wireless Solutions
Products Certified Ascom i62 and OEM derivatives
Hardware Model Numbers WH1‐xxxx
Software Version Numbers 528
RF Features Tested
Radio Supported 80211abgn
QoS Features Supported Tested WMM
Powersave Features Tested U‐APSD
Encryption Supported WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
Encryption Tested WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
80211h Supported Yes
Key Caching Support for Optimized Roaming
OKC and PMK
Voice Specific Features
Protocols Supported SIP‐UDP SIP‐TCP SIP‐TLS H323
Control Traffic Pattern Handset to Server and vice versa
Voice Traffic Pattern Peer‐to‐peer (between handsets)
of Calls per AP Tested 18 calls (not AP‐capacity limited)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 2
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 1
WARRANTY DISCLAIMER
THE FOLLOWING DOCUMENT AND THE INFORMATION CONTAINED HEREIN IS PROVIDED ON
AN AS IS BASIS ARUBA MAKES NO REPRESENTATIONS WARRANTIES CONDITIONS OR
GUARANTEES AS TO THE USEFULNESS QUALITY SUITABILITY TRUTH ACCURACY OR
COMPLETENESS OF THISDOCUMENT AND THE INFORMATION CONTAINED IN THIS DOCUMENT
DISCLAIMER OF LIABILITY
Aruba Networks Inc disclaims liability for any personal injury property or other damages of
any nature whatsoever whether special indirect consequential or compensatory directly or
indirectly resulting from the certification program or the acts or omissions of any company or
technology that has been certified by Aruba Networks
Certification does not mean that the company is a subcontractor or under the technical control
or direction of Aruba Networks In conducting the certification program Aruba Networks is not
undertaking to render professional or other services for or on behalf of any person or entity
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 2
TableofContentsIntroduction 3
Solution Components 3
Aruba Campus WLAN Solution 3
Ascom Solution 4
ArubaEdge Solution Qualification 6
Qualification Objective 6
Network Topology 6
Test Methodology 8
Summary Test Results 8
Know Limitations 10
Conclusion 10
Appendix 1 11
General settings (SSID Radio and QoS) 11
Encryption and Authentication Settings 14
Ascom i62 Setting Summary 17
APPENDIX B 19
Test Summary 19
Aruba Test Configuration File 20
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 3
IntroductionThis document describes the steps and guidelines necessary to configure Arubarsquos wireless LAN (AOS
version 6420) infrastructure to work interoperable with Ascomrsquos i62 handsets
The guide is intended to be used in conjunction with Aruba and Ascom configuration guides Please
contact the respective companyrsquos sales engineering or support groups should additional information be
required
Solution Verified Ascom Phones
Aruba Product Aruba Campus WLAN Solution OS version 64xx
Partner Solution Tested Ascom i62 Handset Software version 528
SolutionComponents
ArubaCampusWLANSolutionSecure and reliable mobility is the responsibility of the enterprise network which must support a wide
range of converged clients over wireless wired and remote access networks Laptops and smartphones
are capable of simultaneously running voice data and now video applications an operating model that
breaks traditional dedicated VLAN and SSID architectures Delivering the quality of service (QoS)
bandwidth and management tools necessary to accommodate these devices on a grand scale ndash within a
campus environment to users on the road and in branch offices ndash requires a specially tailored system
design
Arubarsquos unique application and device fingerprinting enable the system to detect the types of traffic
flows and the devices from which they originate The network can then be dynamically conditioned to
deliver QoS ‐ on an application‐by‐application device‐by‐device basis ‐ as needed to ensure highly
reliable application delivery Arubarsquos integrated policy enforcement firewall isolates applications from
one another to essentially create multiple dedicated virtual networks and then allocates the necessary
bandwidth for each user and application
To ensure reliable application delivery in changing RF environments Arubarsquos Adaptive Radio
Management (ARM) technology forces client devices to shift away from the noisy 24GHz band to the
quieter 5GHz band adjusts radio power levels to blanket coverage areas load balance by shifting clients
between access points and even allocates airtime based on the capabilities of each client device The
result is a superb user experience without any user involvement
These services are complemented by security systems that ensure the integrity of the network Rogue
detection wireless intrusion and prevention access control remote site VPN content security scanning
end‐to‐end data encryption and other services protect the network and users at all times
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 4
Arubarsquos extensive portfolio of campus branchteleworker and mobile solutions simplify operations and
secure access to unified communications applications and services ‐ regardless of the users device
location or network This dramatically improves productivity lowering capital and operational costs
while providing a superior uninterrupted user experience
AscomSolution
The Ascom i62 offers a sophisticated telephony messaging and alarm solution for enterprise business
based on Wi‐Fi technology By offering Voice Over Wi‐Fi only one network needs to be installed and
maintained for all applications including Internet access e‐mail voice and other business related
applications
The latest 80211n and 80211ac standards provide the benefits of higher throughput and longer range
increasing the ability to integrate with other systems and build efficient applications With the new
generation networks and handsets the capacity and versatility outperforms any other on‐site wireless
technology
The Ascom i62 offers a unique management tool with central management concept enabling remote
management and SW upgrades of the handsets over the air
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 5
Certified Product Summary
Manufacturer Ascom Wireless Solutions
Products Certified Ascom i62 and OEM derivatives
Hardware Model Numbers WH1‐xxxx
Software Version Numbers 528
RF Features Tested
Radio Supported 80211abgn
QoS Features Supported Tested WMM
Powersave Features Tested U‐APSD
Encryption Supported WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
Encryption Tested WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
80211h Supported Yes
Key Caching Support for Optimized Roaming
OKC and PMK
Voice Specific Features
Protocols Supported SIP‐UDP SIP‐TCP SIP‐TLS H323
Control Traffic Pattern Handset to Server and vice versa
Voice Traffic Pattern Peer‐to‐peer (between handsets)
of Calls per AP Tested 18 calls (not AP‐capacity limited)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 3
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 2
TableofContentsIntroduction 3
Solution Components 3
Aruba Campus WLAN Solution 3
Ascom Solution 4
ArubaEdge Solution Qualification 6
Qualification Objective 6
Network Topology 6
Test Methodology 8
Summary Test Results 8
Know Limitations 10
Conclusion 10
Appendix 1 11
General settings (SSID Radio and QoS) 11
Encryption and Authentication Settings 14
Ascom i62 Setting Summary 17
APPENDIX B 19
Test Summary 19
Aruba Test Configuration File 20
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 3
IntroductionThis document describes the steps and guidelines necessary to configure Arubarsquos wireless LAN (AOS
version 6420) infrastructure to work interoperable with Ascomrsquos i62 handsets
The guide is intended to be used in conjunction with Aruba and Ascom configuration guides Please
contact the respective companyrsquos sales engineering or support groups should additional information be
required
Solution Verified Ascom Phones
Aruba Product Aruba Campus WLAN Solution OS version 64xx
Partner Solution Tested Ascom i62 Handset Software version 528
SolutionComponents
ArubaCampusWLANSolutionSecure and reliable mobility is the responsibility of the enterprise network which must support a wide
range of converged clients over wireless wired and remote access networks Laptops and smartphones
are capable of simultaneously running voice data and now video applications an operating model that
breaks traditional dedicated VLAN and SSID architectures Delivering the quality of service (QoS)
bandwidth and management tools necessary to accommodate these devices on a grand scale ndash within a
campus environment to users on the road and in branch offices ndash requires a specially tailored system
design
Arubarsquos unique application and device fingerprinting enable the system to detect the types of traffic
flows and the devices from which they originate The network can then be dynamically conditioned to
deliver QoS ‐ on an application‐by‐application device‐by‐device basis ‐ as needed to ensure highly
reliable application delivery Arubarsquos integrated policy enforcement firewall isolates applications from
one another to essentially create multiple dedicated virtual networks and then allocates the necessary
bandwidth for each user and application
To ensure reliable application delivery in changing RF environments Arubarsquos Adaptive Radio
Management (ARM) technology forces client devices to shift away from the noisy 24GHz band to the
quieter 5GHz band adjusts radio power levels to blanket coverage areas load balance by shifting clients
between access points and even allocates airtime based on the capabilities of each client device The
result is a superb user experience without any user involvement
These services are complemented by security systems that ensure the integrity of the network Rogue
detection wireless intrusion and prevention access control remote site VPN content security scanning
end‐to‐end data encryption and other services protect the network and users at all times
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 4
Arubarsquos extensive portfolio of campus branchteleworker and mobile solutions simplify operations and
secure access to unified communications applications and services ‐ regardless of the users device
location or network This dramatically improves productivity lowering capital and operational costs
while providing a superior uninterrupted user experience
AscomSolution
The Ascom i62 offers a sophisticated telephony messaging and alarm solution for enterprise business
based on Wi‐Fi technology By offering Voice Over Wi‐Fi only one network needs to be installed and
maintained for all applications including Internet access e‐mail voice and other business related
applications
The latest 80211n and 80211ac standards provide the benefits of higher throughput and longer range
increasing the ability to integrate with other systems and build efficient applications With the new
generation networks and handsets the capacity and versatility outperforms any other on‐site wireless
technology
The Ascom i62 offers a unique management tool with central management concept enabling remote
management and SW upgrades of the handsets over the air
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 5
Certified Product Summary
Manufacturer Ascom Wireless Solutions
Products Certified Ascom i62 and OEM derivatives
Hardware Model Numbers WH1‐xxxx
Software Version Numbers 528
RF Features Tested
Radio Supported 80211abgn
QoS Features Supported Tested WMM
Powersave Features Tested U‐APSD
Encryption Supported WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
Encryption Tested WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
80211h Supported Yes
Key Caching Support for Optimized Roaming
OKC and PMK
Voice Specific Features
Protocols Supported SIP‐UDP SIP‐TCP SIP‐TLS H323
Control Traffic Pattern Handset to Server and vice versa
Voice Traffic Pattern Peer‐to‐peer (between handsets)
of Calls per AP Tested 18 calls (not AP‐capacity limited)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 4
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 3
IntroductionThis document describes the steps and guidelines necessary to configure Arubarsquos wireless LAN (AOS
version 6420) infrastructure to work interoperable with Ascomrsquos i62 handsets
The guide is intended to be used in conjunction with Aruba and Ascom configuration guides Please
contact the respective companyrsquos sales engineering or support groups should additional information be
required
Solution Verified Ascom Phones
Aruba Product Aruba Campus WLAN Solution OS version 64xx
Partner Solution Tested Ascom i62 Handset Software version 528
SolutionComponents
ArubaCampusWLANSolutionSecure and reliable mobility is the responsibility of the enterprise network which must support a wide
range of converged clients over wireless wired and remote access networks Laptops and smartphones
are capable of simultaneously running voice data and now video applications an operating model that
breaks traditional dedicated VLAN and SSID architectures Delivering the quality of service (QoS)
bandwidth and management tools necessary to accommodate these devices on a grand scale ndash within a
campus environment to users on the road and in branch offices ndash requires a specially tailored system
design
Arubarsquos unique application and device fingerprinting enable the system to detect the types of traffic
flows and the devices from which they originate The network can then be dynamically conditioned to
deliver QoS ‐ on an application‐by‐application device‐by‐device basis ‐ as needed to ensure highly
reliable application delivery Arubarsquos integrated policy enforcement firewall isolates applications from
one another to essentially create multiple dedicated virtual networks and then allocates the necessary
bandwidth for each user and application
To ensure reliable application delivery in changing RF environments Arubarsquos Adaptive Radio
Management (ARM) technology forces client devices to shift away from the noisy 24GHz band to the
quieter 5GHz band adjusts radio power levels to blanket coverage areas load balance by shifting clients
between access points and even allocates airtime based on the capabilities of each client device The
result is a superb user experience without any user involvement
These services are complemented by security systems that ensure the integrity of the network Rogue
detection wireless intrusion and prevention access control remote site VPN content security scanning
end‐to‐end data encryption and other services protect the network and users at all times
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 4
Arubarsquos extensive portfolio of campus branchteleworker and mobile solutions simplify operations and
secure access to unified communications applications and services ‐ regardless of the users device
location or network This dramatically improves productivity lowering capital and operational costs
while providing a superior uninterrupted user experience
AscomSolution
The Ascom i62 offers a sophisticated telephony messaging and alarm solution for enterprise business
based on Wi‐Fi technology By offering Voice Over Wi‐Fi only one network needs to be installed and
maintained for all applications including Internet access e‐mail voice and other business related
applications
The latest 80211n and 80211ac standards provide the benefits of higher throughput and longer range
increasing the ability to integrate with other systems and build efficient applications With the new
generation networks and handsets the capacity and versatility outperforms any other on‐site wireless
technology
The Ascom i62 offers a unique management tool with central management concept enabling remote
management and SW upgrades of the handsets over the air
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 5
Certified Product Summary
Manufacturer Ascom Wireless Solutions
Products Certified Ascom i62 and OEM derivatives
Hardware Model Numbers WH1‐xxxx
Software Version Numbers 528
RF Features Tested
Radio Supported 80211abgn
QoS Features Supported Tested WMM
Powersave Features Tested U‐APSD
Encryption Supported WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
Encryption Tested WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
80211h Supported Yes
Key Caching Support for Optimized Roaming
OKC and PMK
Voice Specific Features
Protocols Supported SIP‐UDP SIP‐TCP SIP‐TLS H323
Control Traffic Pattern Handset to Server and vice versa
Voice Traffic Pattern Peer‐to‐peer (between handsets)
of Calls per AP Tested 18 calls (not AP‐capacity limited)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 5
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 4
Arubarsquos extensive portfolio of campus branchteleworker and mobile solutions simplify operations and
secure access to unified communications applications and services ‐ regardless of the users device
location or network This dramatically improves productivity lowering capital and operational costs
while providing a superior uninterrupted user experience
AscomSolution
The Ascom i62 offers a sophisticated telephony messaging and alarm solution for enterprise business
based on Wi‐Fi technology By offering Voice Over Wi‐Fi only one network needs to be installed and
maintained for all applications including Internet access e‐mail voice and other business related
applications
The latest 80211n and 80211ac standards provide the benefits of higher throughput and longer range
increasing the ability to integrate with other systems and build efficient applications With the new
generation networks and handsets the capacity and versatility outperforms any other on‐site wireless
technology
The Ascom i62 offers a unique management tool with central management concept enabling remote
management and SW upgrades of the handsets over the air
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 5
Certified Product Summary
Manufacturer Ascom Wireless Solutions
Products Certified Ascom i62 and OEM derivatives
Hardware Model Numbers WH1‐xxxx
Software Version Numbers 528
RF Features Tested
Radio Supported 80211abgn
QoS Features Supported Tested WMM
Powersave Features Tested U‐APSD
Encryption Supported WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
Encryption Tested WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
80211h Supported Yes
Key Caching Support for Optimized Roaming
OKC and PMK
Voice Specific Features
Protocols Supported SIP‐UDP SIP‐TCP SIP‐TLS H323
Control Traffic Pattern Handset to Server and vice versa
Voice Traffic Pattern Peer‐to‐peer (between handsets)
of Calls per AP Tested 18 calls (not AP‐capacity limited)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 5
Certified Product Summary
Manufacturer Ascom Wireless Solutions
Products Certified Ascom i62 and OEM derivatives
Hardware Model Numbers WH1‐xxxx
Software Version Numbers 528
RF Features Tested
Radio Supported 80211abgn
QoS Features Supported Tested WMM
Powersave Features Tested U‐APSD
Encryption Supported WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
Encryption Tested WPA2‐PSK PEAP‐MSCHAPv2 EAP‐TLS
80211h Supported Yes
Key Caching Support for Optimized Roaming
OKC and PMK
Voice Specific Features
Protocols Supported SIP‐UDP SIP‐TCP SIP‐TLS H323
Control Traffic Pattern Handset to Server and vice versa
Voice Traffic Pattern Peer‐to‐peer (between handsets)
of Calls per AP Tested 18 calls (not AP‐capacity limited)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 7
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 6
ArubaEdgeSolutionQualification
Qualification Objective
Validate the interoperability of the Ascom i62 with the Arubarsquos wireless LAN infrastructure (version
6420)
Network Topology
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 8
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 7
Settings on the Aruba WLAN
Enable SNMP v2 on the Aruba Mobility Controller and configure the community string as follows
The following Aruba Mobility Controller configuration settings are recommended for use with
Ascom i62 handsets
RF Recommended Settings for Ascom o Beacon Interval 100ms o DTIM Period 5 o WMM U‐APSD Enabled o 80211d Regulatory Domain Country specific
Encryption and Authentication o The handset and the WLAN infrastructure support and were tested with WPAWPA2
enterprise and PSK Please refer the Aruba configuration guide for additional information on how the SSIDs and encryptionauthentication methods should be configured
Adaptive Radio Management o Enable ARM voice aware scanning WMM UAPSD and band steering
User Roles and Policies The Ascom phones support SIP and H323 So enable the voice ACL or the SIP and H323 ACLs
Ascom Settings
The following Ascom i62 Handset configuration settings are recommended for use with Aruba Mobility
Controllers
Ascom i62 Configuration
World Mode Regulatory Domain set to World mode
IP DSCP for Voice 0xC0 (46) ndash Expedited Forwarding
IP DSCP for Signaling 0x68 (26) ndash Assured Forwarding 31
Transmit Gratuitous ARP Enable
Refer to Appendix A for additional details
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 9
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 8
TestMethodology
SummaryTestResultsThe features and functions listed below were assessed during interoperability testing The test results
are presented in the right‐most column
WLAN Controller Features
High Level Functionality Result
Association Open with No Encryption OK
Association Open with Static WEP64128 Not tested
Association WPA‐PSK TKIP OK
Association WPA2‐PSK TKIP AES Encryption OK
Association PEAP‐MSCHAPv2 Auth TKIP Encryption OK
Association PEAP‐MSCHAPv2 Auth AES Encryption OK
Association EAP‐TLS OK
Association Multiple ESSIDs OK
Beacon Interval and DTIM Period OK
Pre‐authentication NA
PMKSA Caching OK
WPA2‐OpportunisticProactive Key Caching OK
WMM Prioritization OK
Active Mode (load test) OK
80211 Power‐Save Mode OK
80211e U‐APSD OK
80211e U‐APSD (load test) OK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 10
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 9
Roaming
High Level Functionality Result
Roaming Open with No Encryption OK (Avg roaming time 24ms)
Roaming WPA‐PSK TKIP Encryption Not tested
Roaming WPA2‐PSK AES Encryption OK (Avg roaming time 59ms)
Roaming PEAP‐MSCHAPv2 Auth AES Encryption OK (Avg roaming time 68ms)
) Stated roaming times were measured using 80211bg (n) AP‐225 Refer to Appendix B for detailed
test records
) Results observed with Opportunistic Key Caching enabled Results average 400ms without
Opportunistic Key Caching
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 11
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 10
KnowLimitations
‐ Note that AP‐205214215224225275 only supports DTIM 1 This will reduce the standby (idle) time from approximately 100 hours to 60 hours
‐ Ascom i62 does not handle 80211K info correctly which affects the roaming negatively
It is therefore highly recommended to configure the Aruba system not to advertise the 80211K capabilities for the Ascom i62 SSID
ConclusionThe verification including association authentication roaming and load test produced very good
results overall Roaming times were in general good with roaming times of around 40‐60ms both when
using WPA2‐PSKAES and PEAP‐MSCHAPv2 (WPA2AES)
Load testing showed that more than 18 Ascom i62 Handsets could maintain a call via a single Aruba
access point when tested both in active and U‐APSD modes Note that 18 was the maximum number of
devices tested and not the capacity limit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 12
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 11
Appendix1This section includes screenshots and explanations of basic settings required to use Ascom i62 Handsets
with an Aruba 3400 Mobility Controller Please note the security settings of each test case as they were
modified according to needs of the test cases
The configuration file is found at the end of this appendix
Generalsettings(SSIDRadioandQoS)
Set DTIM Interval to 5 (for AP‐204205214215224225 only value 1 is supported) This value is
recommended for maximum battery conservation without impacting call quality Using a lower value
will also decrease the standby time slightly
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 13
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 12
Ascom recommends disabling the lowest rates and recommends that 12mbits is the lowest basic rate
Ensure that WMM and U‐APSD are enabled To match the default values in the i62 ensure to use DSCP
46 for Voice 26 for video and 0 for best effort It is also recommended that ldquoMax Transmit Attemptsrdquo be
set to 4
Note To further optimize performance it is recommended that 80211b clients be disallowed from
associating by setting the 6 Mbps or 12Mbps as Basic Rates in the 80211g configuration
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 14
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 13
Set ldquoMaximum Transmit Failuresrdquo to 25
ldquoHigh throughput enablerdquo enables 80211n capabilities that are supported in combination with Open
encryption and WPA2‐AES (PSK or Enterprise)
Ascom does support both usage of 40MHz and Very High throughput enabled SSID including 80MHz
channels
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities
General guidelines when deploying Ascom i62 handsets (SW version 257 or later) in 80211an
environments
1 Enabling more than 8 channels will degrade roaming performance Ascom strongly recommends against going above this limit
2 Using 40 MHz channels (or ldquochannel‐bondingrdquo) will reduce the number of non‐DFS channels to two in ETSI regions (Europe) In FCC regions (North America) 40MHz is a more viable option because of the availability of additional non‐DFS channels The handset can co‐exist with 40MHz stations in the same ESS
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 15
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 14
3 Make sure that all non‐DFS channel are taken before resorting to DFS channels The handset can cope in mixed non‐DFS and DFS environments however due to ldquounpredictabilityrdquo introduced by radar detection protocols voice quality may become distorted and roaming delayed Hence Ascom recommends avoiding the use of DFS channels in VoWi‐Fi deployments
) Dynamic Frequency Selection (radar detection)
Ascom recommends a Beacon Interval of 100ms and advertising 80211dh capabilities For 80211bgn
use only channels 1 6 and 11 For 80211an use channels in accordance with Arubarsquos guidelines and in
compliance with local regulations
EncryptionandAuthenticationSettings
WPA2‐PSK Set the security profile to WPA2‐PSK AES encryption
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 16
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 15
Enterprise1X authentication
Step 1 When configuring the authentication mode using a Radius sever the IP address and the secret
must correspond to the IP address and the credential used by the Radius server The RADIUS server
should be added to a Server Group
Step 2 Create an 8021X Authentication Profile
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 17
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 16
Step 3 Choose the 8021X Authentication profile created in previous step and configure the
Authentication Server group
Choose configured AAA Profile and set WPA2AES as the security mode
See Appendix B for the controller configuration used for the certification process
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 18
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 17
Ascomi62SettingSummary
Network settings for WPA2‐PSK
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 19
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 18
Network settings for 1X authentication (PEAP‐MSCHAPv2)
8021X Authentication requires a root certificate to be uploaded to the phone by ldquoright clickingrdquo ‐ gt Edit
certificates EAP‐TLS will require both a root and a client certificate
Note that both a root and a client certificate are needed for TLS Otherwise only a root certificate is needed
Server certificate validation can be overridden in version 4112 and above per handset setting (Validate server
certificate under Network settings)
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 20
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 19
APPENDIXB
TestSummary
Description Runs
Tests passed 24
Tests Not Run 11
Tests fail 0
Test NA 0
Total Number of Tests 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 21
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 20
ArubaTestConfigurationFile version 64 enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806 hostname Aruba3400 clock timezone PST ‐8 location Building1floor1 controller config 716 ip NAT pool dynamic‐srcnat 0000 0000 ip access‐list eth validuserethacl permit any netservice svc‐pcoip2‐tcp tcp 4172 netservice svc‐snmp‐trap udp 162 netservice svc‐netbios‐dgm udp 138 netservice svc‐citrix tcp 2598 netservice svc‐smb‐tcp tcp 445 netservice svc‐ike udp 500 netservice svc‐l2tp udp 1701 netservice svc‐syslog udp 514 netservice svc‐dhcp udp 67 68 alg dhcp netservice svc‐https tcp 443 netservice svc‐ica tcp 1494 netservice svc‐pptp tcp 1723 netservice svc‐telnet tcp 23 netservice svc‐http‐accl tcp 88 netservice svc‐sccp tcp 2000 alg sccp netservice svc‐sec‐papi udp 8209 netservice svc‐tftp udp 69 alg tftp netservice svc‐kerberos udp 88 netservice svc‐sip‐tcp tcp 5060 netservice svc‐netbios‐ssn tcp 139 netservice svc‐pcoip‐udp udp 50002 netservice svc‐pcoip‐tcp tcp 50002 netservice svc‐pop3 tcp 110 netservice svc‐adp udp 8200 netservice svc‐cfgm‐tcp tcp 8211 netservice svc‐noe udp 32512 alg noe netservice svc‐http‐proxy3 tcp 8888 netservice svc‐lpd‐tcp tcp 631 netservice svc‐msrpc‐tcp tcp 135 139 netservice svc‐rtsp tcp 554 alg rtsp netservice svc‐dns udp 53 alg dns netservice vnc tcp 5900 5905 netservice svc‐vocera udp 5002 alg vocera netservice svc‐h323‐tcp tcp 1720 netservice svc‐h323‐udp udp 1718 1719 netservice svc‐http tcp 80 netservice svc‐nterm tcp 1026 1028 netservice svc‐sip‐udp udp 5060 netservice svc‐http‐proxy2 tcp 8080 netservice svc‐noe‐oxo udp 5000 alg noe netservice svc‐papi udp 8211 netservice svc‐ftp tcp 21 alg ftp netservice svc‐natt udp 4500 netservice svc‐svp 119 alg svp netservice svc‐microsoft‐ds tcp 445 netservice svc‐gre 47 netservice svc‐smtp tcp 25 netservice web tcp list 80 443 netservice svc‐smb‐udp udp 445 netservice svc‐sips tcp 5061 alg sips netservice svc‐netbios‐ns udp 137 netservice svc‐esp 50
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 22
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 21
netservice svc‐cups tcp 515 netservice svc‐pcoip2‐udp udp 4172 netservice svc‐bootp udp 67 69 netservice svc‐snmp udp 161 netservice svc‐v6‐dhcp udp 546 547 netservice svc‐icmp 1 netservice svc‐ntp udp 123 netservice svc‐msrpc‐udp udp 135 139 netservice svc‐ssh tcp 22 netservice svc‐http‐proxy1 tcp 3128 netservice svc‐v6‐icmp 58 netservice svc‐lpd‐udp udp 631 netservice svc‐vmware‐rdp tcp 3389 netdestination6 ipv6‐reserved‐range invert network 20003 netexthdr default time‐range night‐hours periodic weekday 1801 to 2359 weekday 0000 to 0759 time‐range weekend periodic weekend 0000 to 2359 time‐range working‐hours periodic weekday 0800 to 1800 ip access‐list session allow‐diskservices any any svc‐netbios‐dgm permit any any svc‐netbios‐ssn permit any any svc‐microsoft‐ds permit any any svc‐netbios‐ns permit ip access‐list session control any any svc‐papi permit any any svc‐sec‐papi permit user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐cfgm‐tcp permit any any svc‐adp permit any any svc‐tftp permit any any svc‐dhcp permit any any svc‐natt permit ip access‐list session v6‐icmp‐acl ip access‐list session apprf‐ascom‐sacl ip access‐list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6‐reserved‐range any any deny ipv6 any any any permit ip access‐list session vocera‐acl any any svc‐vocera permit queue high
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 23
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 22
ip access‐list session v6‐https‐acl ip access‐list session vmware‐acl any any svc‐vmware‐rdp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip‐udp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐tcp permit tos 46 dot1p‐priority 6 any any svc‐pcoip2‐udp permit tos 46 dot1p‐priority 6 ip access‐list session apprf‐default‐vpn‐role‐sacl ip access‐list session v6‐control ipv6 any any svc‐papi permit ipv6 any any svc‐sec‐papi permit ipv6 user any udp 547 deny ipv6 any any svc‐v6‐icmp permit ipv6 any any svc‐dns permit ipv6 any any svc‐cfgm‐tcp permit ipv6 any any svc‐adp permit ipv6 any any svc‐tftp permit ipv6 any any svc‐dhcp permit ipv6 any any svc‐natt permit ip access‐list session icmp‐acl any any svc‐icmp permit ip access‐list session apprf‐authenticated‐sacl ip access‐list session apprf‐stateful‐dot1x‐sacl ip access‐list session captiveportal user alias controller svc‐https dst‐nat 8081 user any svc‐http dst‐nat 8080 user any svc‐https dst‐nat 8081 user any svc‐http‐proxy1 dst‐nat 8088 user any svc‐http‐proxy2 dst‐nat 8088 user any svc‐http‐proxy3 dst‐nat 8088 ip access‐list session v6‐dhcp‐acl ip access‐list session allowall any any any permit ip access‐list session v6‐dns‐acl ip access‐list session apprf‐voice‐sacl ip access‐list session lync‐acl any any svc‐sips permit queue high ip access‐list session test ip access‐list session sip‐acl any any svc‐sip‐udp permit queue high any any svc‐sip‐tcp permit queue high ip access‐list session https‐acl any any svc‐https permit ip access‐list session citrix‐acl any any svc‐citrix permit tos 46 dot1p‐priority 6 any any svc‐ica permit tos 46 dot1p‐priority 6 ip access‐list session dns‐acl any any svc‐dns permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 24
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 23
ip access‐list session ascom any any any permit ip access‐list session ra‐guard ipv6 user any icmpv6 rtr‐adv deny ip access‐list session allow‐printservices any any svc‐cups permit any any svc‐lpd‐tcp permit any any svc‐lpd‐udp permit ip access‐list session logon‐control user any udp 68 deny any any svc‐icmp permit any any svc‐dns permit any any svc‐dhcp permit any any svc‐natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access‐list session vpnlogon user any svc‐ike permit user any svc‐esp permit any any svc‐l2tp permit any any svc‐pptp permit any any svc‐gre permit ip access‐list session srcnat user any any src‐nat ip access‐list session skinny‐acl any any svc‐sccp permit queue high ip access‐list session tftp‐acl any any svc‐tftp permit ip access‐list session v6‐allowall ip access‐list session apprf‐cpbase‐sacl ip access‐list session cplogout user alias controller svc‐https dst‐nat 8081 ip access‐list session apprf‐default‐via‐role‐sacl ip access‐list session dhcp‐acl any any svc‐dhcp permit ip access‐list session http‐acl any any svc‐http permit ip access‐list session v6‐http‐acl ip access‐list session captiveportal6 ipv6 user alias controller6 svc‐https captive ipv6 user any svc‐http captive ipv6 user any svc‐https captive ipv6 user any svc‐http‐proxy1 captive ipv6 user any svc‐http‐proxy2 captive ipv6 user any svc‐http‐proxy3 captive ip access‐list session apprf‐guest‐sacl ip access‐list session ap‐uplink‐acl any any udp 68 permit
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 25
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 24
any any svc‐icmp permit any host 22400251 udp 5353 permit ip access‐list session ap‐acl any any svc‐gre permit any any svc‐syslog permit any user svc‐snmp permit user any svc‐http permit user any svc‐http‐accl permit user any svc‐smb‐tcp permit user any svc‐msrpc‐tcp permit user any svc‐snmp‐trap permit user any svc‐ntp permit user alias controller svc‐ftp permit ip access‐list session svp‐acl any any svc‐svp permit queue high user host 22401116 any permit ip access‐list session noe‐acl any any svc‐noe permit queue high ip access‐list session global‐sacl ip access‐list session v6‐ap‐acl ipv6 any any svc‐gre permit ipv6 any any svc‐syslog permit ipv6 any user svc‐snmp permit ipv6 user any svc‐snmp‐trap permit ipv6 user any svc‐ntp permit ipv6 user alias controller6 svc‐ftp permit ip access‐list session h323‐acl any any svc‐h323‐tcp permit queue high any any svc‐h323‐udp permit queue high ip access‐list session v6‐logon‐control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6‐reserved‐range any deny vpn‐dialer default‐dialer ike authentication PRE‐SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2 dot1x high‐watermark 60 dot1x low‐watermark 57 user‐role ap‐role access‐list session ra‐guard access‐list session control access‐list session ap‐acl access‐list session v6‐control access‐list session v6‐ap‐acl user‐role denyall user‐role default‐vpn‐role access‐list session global‐sacl access‐list session apprf‐default‐vpn‐role‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role cpbase access‐list session global‐sacl access‐list session apprf‐cpbase‐sacl
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 26
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 25
user‐role voice access‐list session global‐sacl access‐list session apprf‐voice‐sacl access‐list session ra‐guard access‐list session sip‐acl access‐list session noe‐acl access‐list session svp‐acl access‐list session vocera‐acl access‐list session skinny‐acl access‐list session h323‐acl access‐list session dhcp‐acl access‐list session tftp‐acl access‐list session dns‐acl access‐list session icmp‐acl user‐role ascom access‐list session global‐sacl access‐list session apprf‐ascom‐sacl access‐list session ascom user‐role default‐via‐role access‐list session global‐sacl access‐list session apprf‐default‐via‐role‐sacl access‐list session allowall access‐list session v6‐allowall user‐role guest‐logon captive‐portal default access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session v6‐logon‐control access‐list session captiveportal6 user‐role guest access‐list session global‐sacl access‐list session apprf‐guest‐sacl access‐list session ra‐guard access‐list session http‐acl access‐list session https‐acl access‐list session dhcp‐acl access‐list session icmp‐acl access‐list session dns‐acl access‐list session v6‐http‐acl access‐list session v6‐https‐acl access‐list session v6‐dhcp‐acl access‐list session v6‐icmp‐acl access‐list session v6‐dns‐acl user‐role stateful‐dot1x access‐list session global‐sacl access‐list session apprf‐stateful‐dot1x‐sacl user‐role authenticated access‐list session global‐sacl access‐list session apprf‐authenticated‐sacl access‐list session ra‐guard access‐list session allowall access‐list session v6‐allowall user‐role logon access‐list session ra‐guard access‐list session logon‐control access‐list session captiveportal access‐list session vpnlogon access‐list session v6‐logon‐control
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 27
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 26
access‐list session captiveportal6 no kernel coredump interface mgmt shutdown dialer group evdo_us init‐string ATQ0V1E0 dial‐string ATDT777 dialer group gsm_us init‐string AT+CGDCONT=1IPISPCINGULAR dial‐string ATD99 dialer group gsm_asia init‐string AT+CGDCONT=1IPinternet dial‐string ATD991 dialer group vivo_br init‐string AT+CGDCONT=1IPzapvivocombr dial‐string ATD99 no spanning‐tree interface gigabitethernet 10 description GE10 trusted trusted vlan 1‐4094 interface gigabitethernet 11 description GE11 trusted trusted vlan 1‐4094 interface gigabitethernet 12 description GE12 trusted trusted vlan 1‐4094 interface gigabitethernet 13 description GE13 trusted trusted vlan 1‐4094 interface vlan 1 ip address 192168013 2552552550 ip default‐gateway 172201061 ip default‐gateway 192168050 uplink disable
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 28
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 27
crypto isakmp policy 20 encryption aes256 crypto isakmp policy 10001 crypto isakmp policy 10002 encryption aes256 authentication rsa‐sig crypto isakmp policy 10003 encryption aes256 crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa‐sig crypto isakmp policy 10005 encryption aes256 crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa‐sig crypto isakmp policy 10007 version v2 encryption aes128 crypto isakmp policy 10008 version v2 encryption aes128 hash sha2‐256‐128 group 19 authentication ecdsa‐256 prf prf‐hmac‐sha256 crypto isakmp policy 10009 version v2 encryption aes256 hash sha2‐384‐192 group 20 authentication ecdsa‐384 prf prf‐hmac‐sha384 crypto ipsec transform‐set default‐ha‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐boc‐bm‐transform esp‐3des esp‐sha‐hmac crypto ipsec transform‐set default‐rap‐transform esp‐aes256 esp‐sha‐hmac crypto ipsec transform‐set default‐aes esp‐aes256 esp‐sha‐hmac crypto dynamic‐map default‐rap‐ipsecmap 10001 version v2 set transform‐set default‐gcm256 default‐gcm128 default‐rap‐transform crypto dynamic‐map default‐dynamicmap 10000 set transform‐set default‐transform default‐aes
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 29
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 28
crypto map GLOBAL‐IKEV2‐MAP 10000 ipsec‐isakmp dynamic default‐rap‐ipsecmap crypto map GLOBAL‐MAP 10000 ipsec‐isakmp dynamic default‐dynamicmap crypto isakmp eap‐passthrough eap‐tls crypto isakmp eap‐passthrough eap‐peap crypto isakmp eap‐passthrough eap‐mschapv2 vpdn group l2tp vpdn group pptp tunneled‐node‐address 0000 adp discovery enable adp igmp‐join enable adp igmp‐vlan 0 voice rtcp‐inactivity disable voice alg‐based‐cac enable voice sip‐midcall‐req‐timeout disable ap ap‐blacklist‐time 3600 ap flush‐r1‐on‐new‐r0 disable mgmt‐user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534 no database synchronize ip mobile domain default airgroup mdns enable airgroup dlna enable airgroup location‐discovery enable airgroup active‐wireless‐discovery disable airgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv‐v2_tcp description AirPlay airgroupservice airprint id _ipp_tcp id _pdl‐datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 30
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 29
id _http‐alt_tcp id _ipp‐tls_tcp id _fax‐ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax‐ipp_tcp id _ica‐networking_tcp id _ptp_tcp id _canon‐bjnp1_tcp id _ipps_tcp id _ica‐networking2_tcp description AirPrint airgroupservice itunes id _home‐sharing_tcp id _apple‐mobdev_tcp id _daap_tcp id _dacp_tcp description iTunes airgroupservice remotemgmt id _ssh_tcp id _sftp‐ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net‐assistant_tcp description Remote management airgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharing airgroupservice chat id _presence_tcp description Chat airgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etc airgroupservice DIAL id urndial‐multiscreen‐orgservicedial1 id urndial‐multiscreen‐orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etc airgroupservice DLNA Media id urnschemas‐upnp‐orgdeviceMediaServer1 id urnschemas‐upnp‐orgdeviceMediaServer2 id urnschemas‐upnp‐orgdeviceMediaServer3 id urnschemas‐upnp‐orgdeviceMediaServer4 id urnschemas‐upnp‐orgdeviceMediaRenderer1 id urnschemas‐upnp‐orgdeviceMediaRenderer2 id urnschemas‐upnp‐orgdeviceMediaRenderer3 id urnschemas‐upnp‐orgdeviceMediaPlayer1 description Media airgroupservice DLNA Print id urnschemas‐upnp‐orgdevicePrinter1 id urnschemas‐upnp‐orgservicePrintBasic1 id urnschemas‐upnp‐orgservicePrintEnhanced1 description Print airgroupservice allowall
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 31
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 30
description Remaining‐Services airgroup service airplay enable airgroup service airprint enable airgroup service itunes disable airgroup service remotemgmt disable airgroup service sharing disable airgroup service chat disable airgroup service googlecast disable airgroup service DIAL enable airgroup service DLNA Media disable airgroup service DLNA Print disable airgroup service allowall disable ip igmp ipv6 mld no firewall attack‐rate cp 1024 firewall enable ICE‐STUN based firewall traversal firewall attack‐rate grat‐arp 50 drop ipv6 firewall ext‐hdr‐parse‐len 100 firewall cp ip domain lookup country US aaa authentication mac default aaa authentication dot1x ArubaIntop‐dot1x_prof aaa authentication dot1x ascom machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated reauthentication termination enable termination eap‐type eap‐peap termination inner‐eap‐type eap‐mschapv2 aaa authentication dot1x default aaa authentication dot1x Freeradius machine‐authentication enable machine‐authentication machine‐default‐role ascom machine‐authentication user‐default‐role authenticated aaa authentication‐server radius Intop host 19216802
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 32
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 31
key 6035e299cd29e5ccb74cf92aac31ee2f aaa server‐group ascom auth‐server Internal aaa server‐group default auth‐server Internal set role condition role value‐of aaa server‐group intop auth‐server Intop aaa profile ascom initial‐role ascom authentication‐dot1x ascom dot1x‐default‐role authenticated dot1x‐server‐group ascom aaa profile default aaa profile default‐dot1x initial‐role ascom authentication‐dot1x Freeradius dot1x‐default‐role authenticated dot1x‐server‐group intop aaa profile default‐dot1x‐psk initial‐role ascom authentication‐dot1x default‐psk dot1x‐default‐role authenticated aaa authentication captive‐portal default aaa authentication wispr default aaa authentication vpn default aaa authentication vpn default‐rap aaa authentication mgmt aaa authentication stateful‐ntlm default aaa authentication stateful‐kerberos default aaa authentication stateful‐dot1x server‐group intop aaa authentication wired web‐server guest‐access‐email voice logging voice dialplan‐profile default app lync traffic‐control default voice real‐time‐config voice sip aaa password‐policy mgmt
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 33
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 32
control‐plane‐security no cpsec‐enable ids wms‐general‐profile poll‐retries 3 ids wms‐local‐system‐profile valid‐network‐oui‐profile upgrade‐profile license profile activate‐service‐whitelist file syncing profile ifmap cppm pan profile default pan active‐profile ap system‐profile default ap regulatory‐domain‐profile default country‐code US valid‐11g‐channel 1 valid‐11g‐channel 6 valid‐11g‐channel 11 valid‐11a‐channel 36 valid‐11a‐channel 40 valid‐11a‐channel 44 valid‐11a‐channel 48 valid‐11a‐channel 149 valid‐11a‐channel 153 valid‐11a‐channel 157 valid‐11a‐channel 161 valid‐11a‐channel 165 valid‐11g‐40mhz‐channel‐pair 1‐5 valid‐11g‐40mhz‐channel‐pair 7‐11 valid‐11a‐40mhz‐channel‐pair 36‐40 valid‐11a‐40mhz‐channel‐pair 44‐48 valid‐11a‐40mhz‐channel‐pair 149‐153 valid‐11a‐40mhz‐channel‐pair 157‐161 ap wired‐ap‐profile default ap enet‐link‐profile default ap mesh‐ht‐ssid‐profile default ap lldp med‐network‐policy‐profile default ap mesh‐cluster‐profile default ap lldp profile default ap mesh‐radio‐profile default ap wired‐port‐profile default ids general‐profile default ids unauthorized‐device‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 34
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 33
ids profile default rf arm‐profile default assignment disable rf arm‐profile disable assignment disable no scanning no multi‐band‐scan rf optimization‐profile default rf event‐thresholds‐profile default rf am‐scan‐profile default rf dot11a‐radio‐profile ch 165 channel 48E tx‐power 6 arm‐profile disable rf dot11a‐radio‐profile ch 36 channel 36E tx‐power 25 dot11h arm‐profile disable rf dot11a‐radio‐profile ch 40 channel 40‐ tx‐power 22 rf dot11a‐radio‐profile ch149 channel 149E tx‐power 6 dot11h rf dot11a‐radio‐profile ch44 channel 44 tx‐power 16 rf dot11a‐radio‐profile default arm‐profile disable rf dot11g‐radio‐profile channel‐1 channel 1 tx‐power 6 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐11 channel 11 tx‐power 30 dot11h arm‐profile disable rf dot11g‐radio‐profile channel‐6 channel 6 tx‐power 25 dot11h arm‐profile disable rf dot11g‐radio‐profile default wlan handover‐trigger‐profile default
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 35
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 34
wlan rrm‐ie‐profile default wlan bcn‐rpt‐req‐profile default wlan dot11r‐profile default wlan tsm‐req‐profile default wlan voip‐cac‐profile default call‐capacity 5 bandwidth‐capacity 200 send‐sip‐status‐code client 503 send‐sip‐status‐code server 503 wlan ht‐ssid‐profile default no 40MHz‐enable no very‐high‐throughput‐enable no 80MHz‐enable no short‐guard‐intvl‐20MHz no short‐guard‐intvl‐40MHz no short‐guard‐intvl‐80MHz wlan hotspot anqp‐venue‐name‐profile default wlan hotspot anqp‐nwk‐auth‐profile default wlan hotspot anqp‐roam‐cons‐profile default wlan hotspot anqp‐nai‐realm‐profile default wlan hotspot anqp‐3gpp‐nwk‐profile default wlan hotspot h2qp‐operator‐friendly‐name‐profile default wlan hotspot h2qp‐wan‐metrics‐profile default wlan hotspot h2qp‐conn‐capability‐profile default wlan hotspot h2qp‐op‐cl‐profile default wlan hotspot anqp‐ip‐addr‐avail‐profile default wlan hotspot anqp‐domain‐name‐profile default wlan wmm‐traffic‐management‐profile Ascom enable‐shaping wlan edca‐parameters‐profile station default wlan edca‐parameters‐profile ap default wlan dot11k‐profile default wlan ssid‐profile ‐‐NEW‐‐ essid ArubaIntop2 wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wlan ssid‐profile default essid ArubaIntop opmode wpa2‐psk‐aes dtim‐period 5 g‐basic‐rates 6 g‐tx‐rates 11 12 18 24 36 48 54
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 36
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 35
max‐retries 4 wmm wmm‐vo‐dscp 46 wmm‐vi‐dscp 40 wmm‐be‐dscp 26 wmm‐bk‐dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa‐passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max‐tx‐fail 25 edca‐parameters‐profile station default edca‐parameters‐profile ap default wlan ssid‐profile test opmode wpa2‐psk‐aes wmm‐vo‐dscp 56 wmm‐vi‐dscp 40 wmm‐be‐dscp 24 wmm‐bk‐dscp 8 wpa‐passphrase c66913b490044f55538730b888a8522c02008a746fb88738 wlan hotspot advertisement‐profile default wlan hotspot hs2‐profile default wlan virtual‐ap default aaa‐profile default‐dot1x ap provisioning‐profile default rf arm‐rf‐domain‐profile arm‐rf‐domain‐key 49868e8b02680a8f03980ea4288197a4 ap‐lacp‐striping‐ip ap‐group default virtual‐ap default dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐6 ap‐name 001a1eca2c1a dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐11 ap‐name 001a1eca2c76 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 ap‐name 00246ccbf8b1 ap‐name 00246ccbf900 dot11a‐radio‐profile ch44 dot11g‐radio‐profile channel‐11 ap‐name 24dec6cacabc dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 3400‐ap‐61‐a dot11g‐radio‐profile channel‐6 ap‐name 3400‐ap‐61‐b dot11g‐radio‐profile channel‐6 ap‐name 9c1c12c0c3bc dot11a‐radio‐profile ch 165 dot11g‐radio‐profile channel‐6
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 37
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 36
ap‐name 9c1c12c82e5c dot11a‐radio‐profile ch149 dot11g‐radio‐profile channel‐1 ap‐name 9c1c12cc6220 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐6 ap‐name d8c7c8c0a168 dot11a‐radio‐profile ch 36 dot11g‐radio‐profile channel‐1 airgroup cppm‐server aaa logging level warnings security subcat ids logging level warnings security subcat ids‐ap snmp‐server enable trap snmp‐server trap source 0000 snmp‐server trap disable wlsxAdhocNetwork snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedAP snmp‐server trap disable wlsxAdhocNetworkBridgeDetectedSta snmp‐server trap disable wlsxAdhocUsingValidSSID snmp‐server trap disable wlsxAuthMaxAclEntries snmp‐server trap disable wlsxAuthMaxBWContracts snmp‐server trap disable wlsxAuthMaxUserEntries snmp‐server trap disable wlsxAuthServerIsUp snmp‐server trap disable wlsxAuthServerReqTimedOut snmp‐server trap disable wlsxAuthServerTimedOut snmp‐server trap disable wlsxChannelChanged snmp‐server trap disable wlsxCoverageHoleDetected snmp‐server trap disable wlsxDBCommunicationFailure snmp‐server trap disable wlsxDisconnectStationAttack snmp‐server trap disable wlsxESIServerDown snmp‐server trap disable wlsxESIServerUp snmp‐server trap disable wlsxFanFailure snmp‐server trap disable wlsxFanTrayInserted snmp‐server trap disable wlsxFanTrayRemoved snmp‐server trap disable wlsxGBICInserted snmp‐server trap disable wlsxIpSpoofingDetected snmp‐server trap disable wlsxLCInserted snmp‐server trap disable wlsxLCRemoved snmp‐server trap disable wlsxLicenseExpiry snmp‐server trap disable wlsxLowMemory snmp‐server trap disable wlsxLowOnFlashSpace snmp‐server trap disable wlsxOutOfRangeTemperature snmp‐server trap disable wlsxOutOfRangeVoltage snmp‐server trap disable wlsxPowerSupplyFailure snmp‐server trap disable wlsxPowerSupplyMissing snmp‐server trap disable wlsxProcessDied snmp‐server trap disable wlsxProcessExceedsMemoryLimits snmp‐server trap disable wlsxSCInserted snmp‐server trap disable wlsxSignatureMatch snmp‐server trap disable wlsxStaUnAssociatedFromUnsecureAP snmp‐server trap disable wlsxStationAddedToBlackList snmp‐server trap disable wlsxStationRemovedFromBlackList snmp‐server trap disable wlsxSwitchIPChanged snmp‐server trap disable wlsxSwitchRoleChange snmp‐server trap disable wlsxUserAuthenticationFailed snmp‐server trap disable wlsxUserEntryAuthenticated snmp‐server trap disable wlsxUserEntryChanged snmp‐server trap disable wlsxUserEntryCreated snmp‐server trap disable wlsxUserEntryDeAuthenticated snmp‐server trap disable wlsxUserEntryDeleted snmp‐server trap disable wlsxVrrpStateChange
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 38
DeployingAscomrsquosi62VoWi‐FiHandsetwithArubaNetworksrsquoSecureMobilitySolution 37
firewall‐visibility process monitor log end
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 39
WLAN TR version 64enable secret 7d3988e20126db68084797bcc038534bffc2ced01c24555806hostname Aruba3400clock timezone PST -8location Building1floor1 controller config 716ip NAT pool dynamic-srcnat 0000 0000ip access-list eth validuserethacl permit any netservice svc-pcoip2-tcp tcp 4172netservice svc-snmp-trap udp 162netservice svc-netbios-dgm udp 138netservice svc-citrix tcp 2598netservice svc-smb-tcp tcp 445netservice svc-ike udp 500netservice svc-l2tp udp 1701netservice svc-syslog udp 514netservice svc-dhcp udp 67 68 alg dhcpnetservice svc-https tcp 443netservice svc-ica tcp 1494netservice svc-pptp tcp 1723netservice svc-telnet tcp 23netservice svc-http-accl tcp 88netservice svc-sccp tcp 2000 alg sccpnetservice svc-sec-papi udp 8209netservice svc-tftp udp 69 alg tftpnetservice svc-kerberos udp 88netservice svc-sip-tcp tcp 5060netservice svc-netbios-ssn tcp 139netservice svc-pcoip-udp udp 50002netservice svc-pcoip-tcp tcp 50002netservice svc-pop3 tcp 110netservice svc-adp udp 8200netservice svc-cfgm-tcp tcp 8211netservice svc-noe udp 32512 alg noenetservice svc-http-proxy3 tcp 8888netservice svc-lpd-tcp tcp 631netservice svc-msrpc-tcp tcp 135 139netservice svc-rtsp tcp 554 alg rtspnetservice svc-dns udp 53 alg dnsnetservice vnc tcp 5900 5905netservice svc-vocera udp 5002 alg voceranetservice svc-h323-tcp tcp 1720netservice svc-h323-udp udp 1718 1719netservice svc-http tcp 80netservice svc-nterm tcp 1026 1028netservice svc-sip-udp udp 5060netservice svc-http-proxy2 tcp 8080netservice svc-noe-oxo udp 5000 alg noenetservice svc-papi udp 8211netservice svc-ftp tcp 21 alg ftpnetservice svc-natt udp 4500netservice svc-svp 119 alg svpnetservice svc-microsoft-ds tcp 445netservice svc-gre 47netservice svc-smtp tcp 25netservice web tcp list 80 443netservice svc-smb-udp udp 445netservice svc-sips tcp 5061 alg sipsnetservice svc-netbios-ns udp 137netservice svc-esp 50netservice svc-cups tcp 515netservice svc-pcoip2-udp udp 4172netservice svc-bootp udp 67 69netservice svc-snmp udp 161netservice svc-v6-dhcp udp 546 547netservice svc-icmp 1netservice svc-ntp udp 123netservice svc-msrpc-udp udp 135 139netservice svc-ssh tcp 22netservice svc-http-proxy1 tcp 3128netservice svc-v6-icmp 58netservice svc-lpd-udp udp 631netservice svc-vmware-rdp tcp 3389netdestination6 ipv6-reserved-range invert network 20003netexthdr defaulttime-range night-hours periodic weekday 1801 to 2359 weekday 0000 to 0759time-range weekend periodic weekend 0000 to 2359time-range working-hours periodic weekday 0800 to 1800ip access-list session allow-diskservices any any svc-netbios-dgm permit any any svc-netbios-ssn permit any any svc-microsoft-ds permit any any svc-netbios-ns permit ip access-list session control any any svc-papi permit any any svc-sec-papi permit user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-cfgm-tcp permit any any svc-adp permit any any svc-tftp permit any any svc-dhcp permit any any svc-natt permit ip access-list session v6-icmp-aclip access-list session apprf-ascom-saclip access-list session validuser network 16925400 25525500 any any deny network 127000 255000 any any deny network 224000 240000 any any deny host 255255255255 any any deny network 240000 240000 any any deny any any any permit ipv6 host fe80 any any deny ipv6 network fc007 any any permit ipv6 network fe8064 any any permit ipv6 alias ipv6-reserved-range any any deny ipv6 any any any permit ip access-list session vocera-acl any any svc-vocera permit queue high ip access-list session v6-https-aclip access-list session vmware-acl any any svc-vmware-rdp permit tos 46 dot1p-priority 6 any any svc-pcoip-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip-udp permit tos 46 dot1p-priority 6 any any svc-pcoip2-tcp permit tos 46 dot1p-priority 6 any any svc-pcoip2-udp permit tos 46 dot1p-priority 6 ip access-list session apprf-default-vpn-role-saclip access-list session v6-control ipv6 any any svc-papi permit ipv6 any any svc-sec-papi permit ipv6 user any udp 547 deny ipv6 any any svc-v6-icmp permit ipv6 any any svc-dns permit ipv6 any any svc-cfgm-tcp permit ipv6 any any svc-adp permit ipv6 any any svc-tftp permit ipv6 any any svc-dhcp permit ipv6 any any svc-natt permit ip access-list session icmp-acl any any svc-icmp permit ip access-list session apprf-authenticated-saclip access-list session apprf-stateful-dot1x-saclip access-list session captiveportal user alias controller svc-https dst-nat 8081 user any svc-http dst-nat 8080 user any svc-https dst-nat 8081 user any svc-http-proxy1 dst-nat 8088 user any svc-http-proxy2 dst-nat 8088 user any svc-http-proxy3 dst-nat 8088 ip access-list session v6-dhcp-aclip access-list session allowall any any any permit ip access-list session v6-dns-aclip access-list session apprf-voice-saclip access-list session lync-acl any any svc-sips permit queue high ip access-list session testip access-list session sip-acl any any svc-sip-udp permit queue high any any svc-sip-tcp permit queue high ip access-list session https-acl any any svc-https permit ip access-list session citrix-acl any any svc-citrix permit tos 46 dot1p-priority 6 any any svc-ica permit tos 46 dot1p-priority 6 ip access-list session dns-acl any any svc-dns permit ip access-list session ascom any any any permit ip access-list session ra-guard ipv6 user any icmpv6 rtr-adv deny ip access-list session allow-printservices any any svc-cups permit any any svc-lpd-tcp permit any any svc-lpd-udp permit ip access-list session logon-control user any udp 68 deny any any svc-icmp permit any any svc-dns permit any any svc-dhcp permit any any svc-natt permit any network 16925400 25525500 any deny any network 240000 240000 any deny ip access-list session vpnlogon user any svc-ike permit user any svc-esp permit any any svc-l2tp permit any any svc-pptp permit any any svc-gre permit ip access-list session srcnat user any any src-nat ip access-list session skinny-acl any any svc-sccp permit queue high ip access-list session tftp-acl any any svc-tftp permit ip access-list session v6-allowallip access-list session apprf-cpbase-saclip access-list session cplogout user alias controller svc-https dst-nat 8081 ip access-list session apprf-default-via-role-saclip access-list session dhcp-acl any any svc-dhcp permit ip access-list session http-acl any any svc-http permit ip access-list session v6-http-aclip access-list session captiveportal6 ipv6 user alias controller6 svc-https captive ipv6 user any svc-http captive ipv6 user any svc-https captive ipv6 user any svc-http-proxy1 captive ipv6 user any svc-http-proxy2 captive ipv6 user any svc-http-proxy3 captive ip access-list session apprf-guest-saclip access-list session ap-uplink-acl any any udp 68 permit any any svc-icmp permit any host 22400251 udp 5353 permit ip access-list session ap-acl any any svc-gre permit any any svc-syslog permit any user svc-snmp permit user any svc-http permit user any svc-http-accl permit user any svc-smb-tcp permit user any svc-msrpc-tcp permit user any svc-snmp-trap permit user any svc-ntp permit user alias controller svc-ftp permit ip access-list session svp-acl any any svc-svp permit queue high user host 22401116 any permit ip access-list session noe-acl any any svc-noe permit queue high ip access-list session global-saclip access-list session v6-ap-acl ipv6 any any svc-gre permit ipv6 any any svc-syslog permit ipv6 any user svc-snmp permit ipv6 user any svc-snmp-trap permit ipv6 user any svc-ntp permit ipv6 user alias controller6 svc-ftp permit ip access-list session h323-acl any any svc-h323-tcp permit queue high any any svc-h323-udp permit queue high ip access-list session v6-logon-control ipv6 any network fc007 any permit ipv6 any network fe8064 any permit ipv6 any alias ipv6-reserved-range any deny vpn-dialer default-dialer ike authentication PRE-SHARE 0fa4598253e270cc96afbec0732b06120e4a3d76a908f6e2dot1x high-watermark 60dot1x low-watermark 57user-role ap-role access-list session ra-guard access-list session control access-list session ap-acl access-list session v6-control access-list session v6-ap-acluser-role denyalluser-role default-vpn-role access-list session global-sacl access-list session apprf-default-vpn-role-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role cpbase access-list session global-sacl access-list session apprf-cpbase-sacluser-role voice access-list session global-sacl access-list session apprf-voice-sacl access-list session ra-guard access-list session sip-acl access-list session noe-acl access-list session svp-acl access-list session vocera-acl access-list session skinny-acl access-list session h323-acl access-list session dhcp-acl access-list session tftp-acl access-list session dns-acl access-list session icmp-acluser-role ascom access-list session global-sacl access-list session apprf-ascom-sacl access-list session ascomuser-role default-via-role access-list session global-sacl access-list session apprf-default-via-role-sacl access-list session allowall access-list session v6-allowalluser-role guest-logon captive-portal default access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session v6-logon-control access-list session captiveportal6user-role guest access-list session global-sacl access-list session apprf-guest-sacl access-list session ra-guard access-list session http-acl access-list session https-acl access-list session dhcp-acl access-list session icmp-acl access-list session dns-acl access-list session v6-http-acl access-list session v6-https-acl access-list session v6-dhcp-acl access-list session v6-icmp-acl access-list session v6-dns-acluser-role stateful-dot1x access-list session global-sacl access-list session apprf-stateful-dot1x-sacluser-role authenticated access-list session global-sacl access-list session apprf-authenticated-sacl access-list session ra-guard access-list session allowall access-list session v6-allowalluser-role logon access-list session ra-guard access-list session logon-control access-list session captiveportal access-list session vpnlogon access-list session v6-logon-control access-list session captiveportal6no kernel coredumpinterface mgmtshutdowndialer group evdo_us init-string ATQ0V1E0 dial-string ATDT777dialer group gsm_us init-string AT+CGDCONT=1IPISPCINGULAR dial-string ATD99dialer group gsm_asia init-string AT+CGDCONT=1IPinternet dial-string ATD991dialer group vivo_br init-string AT+CGDCONT=1IPzapvivocombr dial-string ATD99no spanning-treeinterface gigabitethernet 10description GE10trustedtrusted vlan 1-4094interface gigabitethernet 11description GE11trustedtrusted vlan 1-4094interface gigabitethernet 12description GE12trustedtrusted vlan 1-4094interface gigabitethernet 13description GE13trustedtrusted vlan 1-4094interface vlan 1ip address 192168013 2552552550ip default-gateway 172201061ip default-gateway 192168050uplink disablecrypto isakmp policy 20 encryption aes256crypto isakmp policy 10001crypto isakmp policy 10002 encryption aes256 authentication rsa-sigcrypto isakmp policy 10003 encryption aes256crypto isakmp policy 10004 version v2 encryption aes256 authentication rsa-sigcrypto isakmp policy 10005 encryption aes256crypto isakmp policy 10006 version v2 encryption aes128 authentication rsa-sigcrypto isakmp policy 10007 version v2 encryption aes128crypto isakmp policy 10008 version v2 encryption aes128 hash sha2-256-128 group 19 authentication ecdsa-256 prf prf-hmac-sha256crypto isakmp policy 10009 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384crypto ipsec transform-set default-ha-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmaccrypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmaccrypto ipsec transform-set default-aes esp-aes256 esp-sha-hmaccrypto dynamic-map default-rap-ipsecmap 10001 version v2 set transform-set default-gcm256 default-gcm128 default-rap-transform crypto dynamic-map default-dynamicmap 10000 set transform-set default-transform default-aes crypto map GLOBAL-IKEV2-MAP 10000 ipsec-isakmp dynamic default-rap-ipsecmapcrypto map GLOBAL-MAP 10000 ipsec-isakmp dynamic default-dynamicmapcrypto isakmp eap-passthrough eap-tlscrypto isakmp eap-passthrough eap-peapcrypto isakmp eap-passthrough eap-mschapv2vpdn group l2tp vpdn group pptptunneled-node-address 0000adp discovery enableadp igmp-join enableadp igmp-vlan 0voice rtcp-inactivity disablevoice alg-based-cac enablevoice sip-midcall-req-timeout disableap ap-blacklist-time 3600ap flush-r1-on-new-r0 disablemgmt-user admin root 5436b5a101681372db26d314e974065944317cd3e1fe6a5534no database synchronizeip mobile domain defaultairgroup mdns enableairgroup dlna enableairgroup location-discovery enableairgroup active-wireless-discovery disableairgroupservice airplay id _airplay_tcp id _raop_tcp id _appletv-v2_tcp description AirPlayairgroupservice airprint id _ipp_tcp id _pdl-datastream_tcp id _printer_tcp id _scanner_tcp id _universal_sub_ipp_tcp id _universal_sub_ipps_tcp id _printer_sub_http_tcp id _http_tcp id _http-alt_tcp id _ipp-tls_tcp id _fax-ipp_tcp id _riousbprint_tcp id _cups_sub_ipp_tcp id _cups_sub_fax-ipp_tcp id _ica-networking_tcp id _ptp_tcp id _canon-bjnp1_tcp id _ipps_tcp id _ica-networking2_tcp description AirPrintairgroupservice itunes id _home-sharing_tcp id _apple-mobdev_tcp id _daap_tcp id _dacp_tcp description iTunesairgroupservice remotemgmt id _ssh_tcp id _sftp-ssh_tcp id _ftp_tcp id _telnet_tcp id _rfb_tcp id _net-assistant_tcp description Remote managementairgroupservice sharing id _odisk_tcp id _afpovertcp_tcp id _xgrid_tcp description Sharingairgroupservice chat id _presence_tcp description Chatairgroupservice googlecast id _googlecast_tcp description GoogleCast supported by Chromecast etcairgroupservice DIAL id urndial-multiscreen-orgservicedial1 id urndial-multiscreen-orgdevicedial1 description DIAL supported by Chromecast FireTV Roku etcairgroupservice DLNA Media id urnschemas-upnp-orgdeviceMediaServer1 id urnschemas-upnp-orgdeviceMediaServer2 id urnschemas-upnp-orgdeviceMediaServer3 id urnschemas-upnp-orgdeviceMediaServer4 id urnschemas-upnp-orgdeviceMediaRenderer1 id urnschemas-upnp-orgdeviceMediaRenderer2 id urnschemas-upnp-orgdeviceMediaRenderer3 id urnschemas-upnp-orgdeviceMediaPlayer1 description Mediaairgroupservice DLNA Print id urnschemas-upnp-orgdevicePrinter1 id urnschemas-upnp-orgservicePrintBasic1 id urnschemas-upnp-orgservicePrintEnhanced1 description Printairgroupservice allowall description Remaining-Servicesairgroup service airplay enableairgroup service airprint enableairgroup service itunes disableairgroup service remotemgmt disableairgroup service sharing disableairgroup service chat disableairgroup service googlecast disableairgroup service DIAL enableairgroup service DLNA Media disableairgroup service DLNA Print disableairgroup service allowall disableip igmpipv6 mldno firewall attack-rate cp 1024firewall enable ICE-STUN based firewall traversalfirewall attack-rate grat-arp 50 dropipv6 firewall ext-hdr-parse-len 100firewall cpip domain lookupcountry USaaa authentication mac defaultaaa authentication dot1x ArubaIntop-dot1x_profaaa authentication dot1x ascom machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticated reauthentication termination enable termination eap-type eap-peap termination inner-eap-type eap-mschapv2aaa authentication dot1x defaultaaa authentication dot1x Freeradius machine-authentication enable machine-authentication machine-default-role ascom machine-authentication user-default-role authenticatedaaa authentication-server radius Intop host 19216802 key 6035e299cd29e5ccb74cf92aac31ee2faaa server-group ascom auth-server Internalaaa server-group default auth-server Internal set role condition role value-ofaaa server-group intop auth-server Intopaaa profile ascom initial-role ascom authentication-dot1x ascom dot1x-default-role authenticated dot1x-server-group ascomaaa profile defaultaaa profile default-dot1x initial-role ascom authentication-dot1x Freeradius dot1x-default-role authenticated dot1x-server-group intopaaa profile default-dot1x-psk initial-role ascom authentication-dot1x default-psk dot1x-default-role authenticatedaaa authentication captive-portal defaultaaa authentication wispr defaultaaa authentication vpn defaultaaa authentication vpn default-rapaaa authentication mgmtaaa authentication stateful-ntlm defaultaaa authentication stateful-kerberos defaultaaa authentication stateful-dot1x server-group intopaaa authentication wiredweb-serverguest-access-emailvoice loggingvoice dialplan-profile defaultapp lync traffic-control defaultvoice real-time-configvoice sipaaa password-policy mgmtcontrol-plane-security no cpsec-enableids wms-general-profile poll-retries 3ids wms-local-system-profilevalid-network-oui-profileupgrade-profilelicense profileactivate-service-whitelistfile syncing profileifmap cppmpan profile defaultpan active-profileap system-profile defaultap regulatory-domain-profile default country-code US valid-11g-channel 1 valid-11g-channel 6 valid-11g-channel 11 valid-11a-channel 36 valid-11a-channel 40 valid-11a-channel 44 valid-11a-channel 48 valid-11a-channel 149 valid-11a-channel 153 valid-11a-channel 157 valid-11a-channel 161 valid-11a-channel 165 valid-11g-40mhz-channel-pair 1-5 valid-11g-40mhz-channel-pair 7-11 valid-11a-40mhz-channel-pair 36-40 valid-11a-40mhz-channel-pair 44-48 valid-11a-40mhz-channel-pair 149-153 valid-11a-40mhz-channel-pair 157-161ap wired-ap-profile defaultap enet-link-profile defaultap mesh-ht-ssid-profile defaultap lldp med-network-policy-profile defaultap mesh-cluster-profile defaultap lldp profile defaultap mesh-radio-profile defaultap wired-port-profile defaultids general-profile defaultids unauthorized-device-profile defaultids profile defaultrf arm-profile default assignment disablerf arm-profile disable assignment disable no scanning no multi-band-scanrf optimization-profile defaultrf event-thresholds-profile defaultrf am-scan-profile defaultrf dot11a-radio-profile ch 165 channel 48E tx-power 6 arm-profile disablerf dot11a-radio-profile ch 36 channel 36E tx-power 25 dot11h arm-profile disablerf dot11a-radio-profile ch 40 channel 40- tx-power 22rf dot11a-radio-profile ch149 channel 149E tx-power 6 dot11hrf dot11a-radio-profile ch44 channel 44 tx-power 16rf dot11a-radio-profile default arm-profile disablerf dot11g-radio-profile channel-1 channel 1 tx-power 6 dot11h arm-profile disablerf dot11g-radio-profile channel-11 channel 11 tx-power 30 dot11h arm-profile disablerf dot11g-radio-profile channel-6 channel 6 tx-power 25 dot11h arm-profile disablerf dot11g-radio-profile defaultwlan handover-trigger-profile defaultwlan rrm-ie-profile defaultwlan bcn-rpt-req-profile defaultwlan dot11r-profile defaultwlan tsm-req-profile defaultwlan voip-cac-profile default call-capacity 5 bandwidth-capacity 200 send-sip-status-code client 503 send-sip-status-code server 503wlan ht-ssid-profile default no 40MHz-enable no very-high-throughput-enable no 80MHz-enable no short-guard-intvl-20MHz no short-guard-intvl-40MHz no short-guard-intvl-80MHzwlan hotspot anqp-venue-name-profile defaultwlan hotspot anqp-nwk-auth-profile defaultwlan hotspot anqp-roam-cons-profile defaultwlan hotspot anqp-nai-realm-profile defaultwlan hotspot anqp-3gpp-nwk-profile defaultwlan hotspot h2qp-operator-friendly-name-profile defaultwlan hotspot h2qp-wan-metrics-profile defaultwlan hotspot h2qp-conn-capability-profile defaultwlan hotspot h2qp-op-cl-profile defaultwlan hotspot anqp-ip-addr-avail-profile defaultwlan hotspot anqp-domain-name-profile defaultwlan wmm-traffic-management-profile Ascom enable-shapingwlan edca-parameters-profile station defaultwlan edca-parameters-profile ap defaultwlan dot11k-profile defaultwlan ssid-profile --NEW-- essid ArubaIntop2 wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8wlan ssid-profile default essid ArubaIntop opmode wpa2-psk-aes dtim-period 5 g-basic-rates 6 g-tx-rates 11 12 18 24 36 48 54 max-retries 4 wmm wmm-vo-dscp 46 wmm-vi-dscp 40 wmm-be-dscp 26 wmm-bk-dscp 0 wepkey1 1317981aecb1ee9a3145cbeeabbbc99a4c29e309ef9c8544 wpa-passphrase 50a78a5dac7e447441e028920cceef898a3ba5f29c6e2098 max-tx-fail 25 edca-parameters-profile station default edca-parameters-profile ap defaultwlan ssid-profile test opmode wpa2-psk-aes wmm-vo-dscp 56 wmm-vi-dscp 40 wmm-be-dscp 24 wmm-bk-dscp 8 wpa-passphrase c66913b490044f55538730b888a8522c02008a746fb88738wlan hotspot advertisement-profile defaultwlan hotspot hs2-profile defaultwlan virtual-ap default aaa-profile default-dot1xap provisioning-profile defaultrf arm-rf-domain-profile arm-rf-domain-key 49868e8b02680a8f03980ea4288197a4ap-lacp-striping-ipap-group default virtual-ap default dot11a-radio-profile ch149 dot11g-radio-profile channel-6ap-name 001a1eca2c1a dot11a-radio-profile ch 36 dot11g-radio-profile channel-11ap-name 001a1eca2c76 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1ap-name 00246ccbf8b1ap-name 00246ccbf900 dot11a-radio-profile ch44 dot11g-radio-profile channel-11ap-name 24dec6cacabc dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 3400-ap-61-a dot11g-radio-profile channel-6ap-name 3400-ap-61-b dot11g-radio-profile channel-6ap-name 9c1c12c0c3bc dot11a-radio-profile ch 165 dot11g-radio-profile channel-6ap-name 9c1c12c82e5c dot11a-radio-profile ch149 dot11g-radio-profile channel-1ap-name 9c1c12cc6220 dot11a-radio-profile ch 36 dot11g-radio-profile channel-6ap-name d8c7c8c0a168 dot11a-radio-profile ch 36 dot11g-radio-profile channel-1airgroup cppm-server aaalogging level warnings security subcat idslogging level warnings security subcat ids-apsnmp-server enable trapsnmp-server trap source 0000snmp-server trap disable wlsxAdhocNetworksnmp-server trap disable wlsxAdhocNetworkBridgeDetectedAPsnmp-server trap disable wlsxAdhocNetworkBridgeDetectedStasnmp-server trap disable wlsxAdhocUsingValidSSIDsnmp-server trap disable wlsxAuthMaxAclEntriessnmp-server trap disable wlsxAuthMaxBWContractssnmp-server trap disable wlsxAuthMaxUserEntriessnmp-server trap disable wlsxAuthServerIsUpsnmp-server trap disable wlsxAuthServerReqTimedOutsnmp-server trap disable wlsxAuthServerTimedOutsnmp-server trap disable wlsxChannelChangedsnmp-server trap disable wlsxCoverageHoleDetectedsnmp-server trap disable wlsxDBCommunicationFailuresnmp-server trap disable wlsxDisconnectStationAttacksnmp-server trap disable wlsxESIServerDownsnmp-server trap disable wlsxESIServerUpsnmp-server trap disable wlsxFanFailuresnmp-server trap disable wlsxFanTrayInsertedsnmp-server trap disable wlsxFanTrayRemovedsnmp-server trap disable wlsxGBICInsertedsnmp-server trap disable wlsxIpSpoofingDetectedsnmp-server trap disable wlsxLCInsertedsnmp-server trap disable wlsxLCRemovedsnmp-server trap disable wlsxLicenseExpirysnmp-server trap disable wlsxLowMemorysnmp-server trap disable wlsxLowOnFlashSpacesnmp-server trap disable wlsxOutOfRangeTemperaturesnmp-server trap disable wlsxOutOfRangeVoltagesnmp-server trap disable wlsxPowerSupplyFailuresnmp-server trap disable wlsxPowerSupplyMissingsnmp-server trap disable wlsxProcessDiedsnmp-server trap disable wlsxProcessExceedsMemoryLimitssnmp-server trap disable wlsxSCInsertedsnmp-server trap disable wlsxSignatureMatchsnmp-server trap disable wlsxStaUnAssociatedFromUnsecureAPsnmp-server trap disable wlsxStationAddedToBlackListsnmp-server trap disable wlsxStationRemovedFromBlackListsnmp-server trap disable wlsxSwitchIPChangedsnmp-server trap disable wlsxSwitchRoleChangesnmp-server trap disable wlsxUserAuthenticationFailedsnmp-server trap disable wlsxUserEntryAuthenticatedsnmp-server trap disable wlsxUserEntryChangedsnmp-server trap disable wlsxUserEntryCreatedsnmp-server trap disable wlsxUserEntryDeAuthenticatedsnmp-server trap disable wlsxUserEntryDeletedsnmp-server trap disable wlsxVrrpStateChangefirewall-visibility process monitor logend
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap105 and AP135 Ap105 AP135 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization NOT TESTED NOT TESTED NOT TESTED NOT TESTED background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an29ms bgn 27ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an57ms bgn 55ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an62ms bgn 60ms 410 Handover using PMKSA caching PASS PASS PASS PASS Always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS Always on see 408 412 Preauthentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED NOT TESTED NOT TESTED PASS 805 80211n rates PASS PASS PASS PASS
Page 40
WLAN TR WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune Ap103 and AP205 AP205 Ap103 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption See Comment See Comment See Comment See Comment Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption PASS PASS PASS PASS 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval See Comment See Comment PASS PASS Only Dtim 1 for AP205 AP103 no remark NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS TEST AREA PERFORMANCE 301 Active mode - unencrypted PASS PASS PASS PASS 303 Active mode ndash encrypted with WPA2-PSK PASS PASS PASS PASS 308 Power-save mode U-APSD ndash WPA2-PSK PASS PASS PASS PASS 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS Non tspec based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS Typical average roaming time anac 16ms bgn 18ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 53ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS Typical average roaming time anac 46ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle See Comment See Comment PASS PASS 60-70h due to DTIM 1 only AP103 90 100h (DTIM 5) 502 Battery lifetime in call with no power save PASS PASS PASS PASS 3-4hours 504 Battery lifetime in call with power save mode U-APSD PASS PASS PASS PASS 13h (14-16h for AP103) TEST AREA STABILITY 601 Duration of call ndash Active mode PASS PASS PASS PASS 24h + 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS 24h + TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED PASS AP205 80mhz channels verified ok 805 80211n rates PASS PASS PASS PASS
Page 41
WLAN TR WLAN Interoperability Test Report WLAN configuration Beacon Interval 100ms Test object - Handset DTIM Interval 5 Ascomi62 sw version 528 80211d Regulatory Domain XX Test object - WLAN system WMM Enabled (AutoWMM) Aruba 3400 v 6420 No Auto-tune AP115 and AP225 Ap115 AP225 Single Voice VLAN 24Ghz 50Ghz 24Ghz 50Ghz Test Case Description Verdict Verdict Verdict Verdict Comment TEST AREA ASSOCIATION AUTHENTICATION 101 Association with open authentication no encryption PASS PASS PASS PASS 104 Association with WPA-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 105 Association with WPA-PSK authentication AES-CCMP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED Not tested Only possible in Mixed mode and requires advanced configuration of i62 106 Association with WPA2-PSK authentication TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 107 Association with WPA2-PSK authentication AES-CCMP encryption PASS PASS PASS PASS 110 Association with PEAP-MSCHAPv2 auth AES-CCMP encryption PASS PASS PASS PASS FreeRADIUS RootCA FAIL 111 Association with EAP-FAST authentication NOT TESTED NOT TESTED NOT TESTED NOT TESTED 115 Association with multiple ESSIDs on AP PASS PASS PASS PASS See Comment 116 Association with EAP-TLS authentication PASS PASS PASS PASS FreeRADIUS RootCA + client certificate TEST AREA POWER-SAVE AND QOS PASS 150 80211 Power-save mode PASS PASS PASS PASS FAIL 151 Beacon period and DTIM interval NOT TESTED NOT TESTED NOT TESTED NOT TESTED NOT TESTED 152 80211e U-APSD PASS PASS PASS PASS See Comment 202 WMM prioritization PASS PASS PASS PASS background load generated with iPerf No degeneration of voice quality TEST AREA PERFORMANCE 301 Active mode - unencrypted NOT TESTED NOT TESTED NOT TESTED NOT TESTED 303 Active mode ndash encrypted with WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 308 Power-save mode U-APSD ndash WPA2-PSK NOT TESTED NOT TESTED NOT TESTED NOT TESTED 309 Power-save mode U-APSD ndash WPA2-PSK AES background load NOT TESTED NOT TESTED NOT TESTED NOT TESTED 310 CAC - TSPEC PASS PASS PASS PASS No TSPEC based CAC TEST AREA ROAMING AND HANDOVER TIMES 401 Handover with open authentication and no encryption PASS PASS PASS PASS avg an24ms bgn 24ms 403 Handover with WPA-PSK authentication and TKIP encryption NOT TESTED NOT TESTED NOT TESTED NOT TESTED 404 Handover with WPA2-PSK auth and AES-CCMP encryption PASS PASS PASS PASS avg an52ms bgn 59ms 408 Handover with PEAP-MSCHAPv2 authentication and AES-CCMP encryption PASS PASS PASS PASS avg an63ms bgn 62ms 410 Handover using PMKSA caching PASS PASS PASS PASS always on see 408 411 Handover using PMKSA and opportunisticproactive key caching PASS PASS PASS PASS always on see 408 TEST AREA BATTERY LIFETIME 501 Battery lifetime in idle NOT TESTED NOT TESTED NOT TESTED NOT TESTED 502 Battery lifetime in call with no power save NOT TESTED NOT TESTED NOT TESTED NOT TESTED 504 Battery lifetime in call with power save mode U-APSD NOT TESTED NOT TESTED NOT TESTED NOT TESTED TEST AREA STABILITY 601 Duration of call ndash Active mode NOT TESTED NOT TESTED NOT TESTED NOT TESTED 602 Duration of call ndash U-APSD mode PASS PASS PASS PASS TEST AREA 80211n 801 Frame aggregation A-MSDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 802 Frame aggregation A-MPDU NOT TESTED NOT TESTED NOT TESTED NOT TESTED 804 40Mhz channels NOT TESTED PASS NOT TESTED NOT TESTED 805 80211n rates PASS PASS PASS PASS
