Remote Access Points. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200
Add to My manuals1162 Pages
advertisement
Chapter 32
Remote Access Points
The Secure Remote Access Point Service allows AP users, at remote locations, to connect to an Aruba controller over the Internet. Because the Internet is involved, data traffic between the controller and the remote AP is
VPN encapsulated. That is, the traffic between the controller and AP is encrypted. Remote AP operations are supported on all of Aruba’s APs.
Topics in this chapter include: n n n n n n n n n n n n n
About Remote Access Points on page 701
Configuring the Secure Remote Access Point Service on page 703
Deploying a Branch/Home Office Solution on page 709
Enabling Remote AP Advanced Configuration Options on page 714
Understanding Split Tunneling on page 728
Understanding Bridge on page 734
Provisioning Wi-Fi Multimedia on page 739
Reserving Uplink Bandwidth on page 739
Provisioning 4G USB Modems on Remote Access Points on page 740
Configuring RAP-3WN and RAP-3WNP Access Points on page 745
Converting an IAP to RAP or CAP on page 746
Enabling Bandwidth Contract Support for RAPs on page 747
About Remote Access Points
Remote APs connect to a controller using Extended Authentication and Internet Protocol Security
(XAuth/IPSec). AP control and 802.11 data traffic are carried through this tunnel. Secure Remote Access Point
Service extends the corporate office to the remote site. Remote users can use the same features as corporate office users. For example, voice over IP (VoIP) applications can be extended to remote sites while the servers and the PBX remain secure in the corporate office.
For both RAPs and CAPs, tunneled SSIDs will be brought down eight seconds after the AP detects that there is no connectivity to the controller. However, RAP bridge-mode SSIDs are configurable to stay up indefinitely
(always-on / persistent). For CAP bridge-mode SSIDs, the CAP will be brought down after the keepalive times out (default 3.5 minutes).
Secure Remote Access Point Service can also be used to secure control traffic between an AP and the controller in a corporate environment. In this case, both the AP and controller are in the company’s private address space.
The remote AP must be configured with the IPSec VPN tunnel termination point. Once the VPN tunnel is established, the AP bootstraps and becomes operational. The tunnel termination point used by the remote AP depends upon the AP deployment, as shown in the following scenarios: n
Deployment Scenario 1: The remote AP and controller reside in a private network which secures AP-tocontroller communication. (This deployment is recommended when AP-to-controller communications on a private network need to be secured.) In this scenario, the remote AP uses the controller’s IP address on the private network to establish the IPSec VPN tunnel.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 701
Figure 94 Remote AP with a Private Network n
Deployment Scenario 2: The remote AP is on the public network or behind a NAT device and the controller is on the public network. The remote AP must be configured with the tunnel termination point, which must be a publicly-routable IP address. In this scenario, a routable interface is configured on the controller in the
DMZ. The remote AP uses the controller’s IP address on the public network to establish the IPSec VPN tunnel.
Figure 95 Remote AP with Controller on Public Network n
Deployment Scenario 3: The remote AP is on the public network or behind a NAT device and the controller is also behind a NAT device. (This deployment is recommended for remote access.) The remote AP must be configured with the tunnel termination point, which must be a publicly-routable IP address. In this scenario, the remote AP uses the public IP address of the corporate firewall. The firewall forwards traffic to an existing interface on the controller. (The firewall must be configured to pass NAT-T traffic (UDP port 4500) to the controller.)
Figure 96 Remote AP with Controller Behind Firewall
In any of the described deployment scenarios, the IPSec VPN tunnel can be terminated on a local controller, with a master controller located elsewhere in the corporate network (
Figure 97 ). The remote AP must be able to
communicate with the master controller after the IPSec tunnel is established. Make sure that the L2TP IP pool configured on the local controller (from which the remote AP obtains its address) is reachable in the controller network by the master controller.
702 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Figure 97 Remote AP in a Multi-Controller Environment n n n
Configuring the Secure Remote Access Point Service
The tasks for configuring an Aruba Access Points as a Secure Remote Access Point Service are:
Configure a public IP address for the controller.
You must install one or more AP licenses in the controller. There are several AP licenses available that support different maximum numbers of APs. The licenses are cumulative; each additional license installed increases the maximum number of APs supported by the controller.
Configure the VPN server on the controller. The remote AP will be a VPN client to the server.
Provision the AP with IPSec settings, including the username and password for the AP, before you install it at the remote location. You can also provision the RAP using the zero touch provisioning method. For more information, see
Provisioning 4G USB Modems on Remote Access Points on page 740 .
Configure a Public IP Address for the Controller
The remote AP requires an IP address to which it can connect to establish a VPN tunnel to the controller. This can be either a routable IP address you configure on the controller, or the address of an external router or firewall that forwards traffic to the controller. The following procedure describes how to create a DMZ address on the controller.
In the WebUI
1. Navigate to the Configuration > Network > VLANs page.
2. Click Add to add a VLAN.
3. Enter the VLAN ID.
4. Select the port that belongs to this VLAN.
5. Click Apply .
6. Navigate to the Configuration > Network > IP page.
7. Click Edit for the VLAN you just created.
8. Enter the IP Address and Net Mask fields.
9. Click Apply .
In the CLI
(host) (config) #vlan <id>
(host) (config) #interface fastethernet <slot/module/<port> switchport access vlan <id>
(host) (config) #interface vlan <id> ip address <ipaddr> <mask>
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 703
Configure the NAT Device
Communication between the AP and the secure controller uses the UDP 4500 port. When both the controller and the AP are behind NAT devices, configure the AP to use the NAT device’s public address as its master address. On the NAT device, you must enable NAT-T (UDP port 4500 only) and forward all packets to the public address of the NAT device on UDP port 4500 to the controller to ensure that the remote AP boots successfully.
Configure the VPN Server
This section describes how to configure the IPSec VPN server on the controller. For more details, see
Private Networks on page 352 .
The remote AP will be a VPN client that connects to the VPN server on the controller .
In the WebUI
1. Navigate to the Configuration > Advanced Services > VPN Services > IPSec page.
2. Select Enable L2TP .
3. Make sure that PAP (Password Authentication Protocol) is selected for Authentication Protocols.
4. To configure the L2TP IP pool, click Add in the Address Pools section. Configure the L2TP pool from which the APs will be assigned addresses, then click Done .
The size of the pool should correspond to the maximum number of APs that the controller is licensed to manage.
5. To configure an Internet Security Association and Key Management Protocol (ISAKMP) encrypted subnet and preshared key, click Add in the IKE Shared Secrets section and configure the preshared key. Click
Done to return to the IPSec page.
6. Click Apply .
In the CLI
(host) (config) # vpdn group l2tp ppp authentication PAP
(host) (config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>
(host) (config) #crypto isakmp key <key> address <ipaddr> netmask <mask>
CHAP Authentication Support over PPPoE
RAPs can now establish a PPPoE session with a PPPoE server at the ISP side and get authenticated using the
Challenge Handshake Authentication Protocol (CHAP). The PPPoE client running on a RAP is capable of handling the CHAP authentication requests from the PPPoE server.
The PPPoE client selects either the PAP or the CHAP credentials for the RAP authentication depending upon the request from the PPPoE server.
You can use the WebUI or the CLI to configure CHAP.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Installation page. The list of discovered APs are displayed on this page.
2. Select the AP you want to configure using CHAP and click Provision button.
3. Enter the CHAP Secret in the text box under Authentication Method .
704 | Remote Access Points ArubaOS 6.5.3.x | User Guide
You can use all the special characters except question mark (?) and the space can be used within double quotes (“ “).
4. Enter the CHAP Secret again in the Confirm CHAP Secret text box for confirmation.
Figure 98 CHAP Authentication Using CHAP Secret
5. Click Apply and Reboot.
In the CLI
(host) (config) #provision-ap pppoe-chap-secret <KEY> reprovision ap-name <name>
Configuring Certificate RAP
You can configure the remote AP to use the internal certificate for authentication. You can use the WebUI or
CLI to configure the certificate RAP.
In the WebUI
1. Navigate to Configuration > AP Installation (under Wireless.)
2. Select the required remote AP under the Provisioning tab and then click Provision .
3. Select Yes for Remote AP and Certificate for Remote AP Authentication Method.
4. Click Apply and Reboot to apply the configuration and reboot the AP as certificate RAP.
In the CLI
(host) (config) #local-userdb-ap whitelist-db rap add <mac-address>
Creating a Remote AP Whitelist
If you use the Zero Touch provisioning method to provision the certificate RAP, then you must create a remote
AP whitelist. For more information on Zero Touch Provisioning of the RAP, see
Provisioning 4G USB Modems on Remote Access Points on page 740 .
Remote AP whitelist is the list of approved APs that can be provisioned on your controller.
In the WebUI
1. Navigate to Configuration > AP Installation (under Wireless) and then click the RAP Whitelist tab on the right side.
2. Click New and provide the following details: n n n
AP MAC Address —mandatory parameter. Enter the MAC address of the AP.
Username —enter a username that is used when the AP is provisioned.
AP Group —select a group to add the AP.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 705
n n n
AP Name —enter a name for the AP. If you do not enter an AP name, the MAC address will be used instead.
Description —enter a text description for the AP
IP-Address —enter an IP address for the AP.
3. Click Add to add the remote AP to the whitelist.
Configuring PSK RAP
You can use Pre-Shared Key (PSK) authentication to provision an individual remote AP or a group of remote
APs using an Internet Key Exchange Pre-Shared Key (IKE PSK).
Starting with ArubaOS 6.5.2.0, PSK RAPs support IKEv1 SHA-2 cryptographic hash function.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning window.
2. Click the checkbox by the AP you want to provision, then click Provision . The Provisioning window opens.
3. Select Yes for the Remote AP option
4. In the Remote IP Authentication Method section, select Pre-shared key .
5. Enter and confirm the pre-shared key (IKE PSK).
6. In the User credential assignment section, specify if you want to use a Global User Name/password or a Per AP User Name/Password .
a. If you use the Per AP User Names/Passwords option, each RAP is given its own username and password.
b. If you use the Global User Name/Password option, all selected RAPs are given the same (shared) username and password.
7. Enter the user name, and enter and confirm the password. If you want the controller to automatically generate a user name and password, select Use Automatic Generation , then click Generate by the
User Name and Password fields.
Add the user to the internal database
You can add the user to the internal database using the WebUI or CLI.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Internal DB .
3. Click Add User in the Users section. The user configuration page displays.
4. Enter the username and password.
5. Click Enabled to activate this entry on creation.
6. Click Apply . Note that the configuration does not take effect until you perform this step.
7. At the Servers page, click Apply .
In the CLI
(host) (config) #local-userdb add username rapuser1 password <password>
706 | Remote Access Points ArubaOS 6.5.3.x | User Guide
RAP Static Inner IP Address
The RAP static inner IP address feature assigns a static inner IP address to a remote access point (RAP). A new remote-IP address parameter is added to the existing configuration commands.
In the WebUI
To view IP address parameter in the local database, navigate to the Configuration > Security >
Authentication > Servers > Internal DB page.
Figure 99 IP-Address parameter in the local database
To view IP-address parameter in the RAP Whitelist, navigate to the Wireless > AP Installation > RAP
Whitelist page.
Figure 100 IP-Address parameter in the RAP Whitelist
In the CLI
(host) (config) #local-userdb add {generate-username|username <name>} {generatepassword|password
<password>} {remote-ip <remote-ip>}
(host) (config) #local-userdb modify {username < name>} {remote-ip <remote-ip>}
(host) (config) #local-userdb-ap whitelist-db rap add {mac-address <address>}{ap-group <ap_ group>}{remote-ip <remote-ip>}
(host) (config) #local-userdb-ap whitelist-db rap modify {mac-address <address>} {remoteip<remote-ip>}
You cannot configure the IP-Address parameter using the WebUI.
Provision the AP
You need to configure the VPN client settings on the AP to instruct the AP to use IPSec to connect to the controller. You can provision the remote AP and give it to users and allow remote users to provision AP at their home. This method of provisioning is referred as Zero Touch Provisioning. See
Provisioning 4G USB Modems on Remote Access Points on page 740
for more information about Zero Touch Provisioning of remote AP.
You must provision the AP before you install it at its remote location. To provision the AP, the AP must be physically connected to the local network or directly connected to the controller. When connected and powered on, the AP must also be able to obtain an IP address from a DHCP server on the local network or from the controller.
If your configuration has an internal LMS IP address, remote APs may attempt to switch over to the LMS IP address, which is not reachable from the Internet. For remote APs, ensure that the LMS IP address in the AP system profile for the AP group has an externally routable IP address.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 707
Reprovisioning the AP causes it to automatically reboot. The easiest way to provision an AP is to use the
Provisioning page in the WebUI, as described in the following steps:
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning page. Select the remote AP and click Provision .
2. Under Authentication Method , select IPSec Parameters . Enter the Internet Key Exchange (IKE) Pre-
Shared Key (PSK) , username , and password .
The username and password you enter must match the username and password configured on the authentication server for the remote AP.
3. Under Master Discovery, set the Master IP Address as shown below:
Deployment Scenario
Deployment 1
Deployment 2
Deployment 3
Master IP Address Value
Controller IP address
Controller public IP address
Public address of the NAT device to which the controller is connected
The username and password you enter must match the username and password configured on the authentication server for the remote AP.
4. Under IP Settings , make sure that Obtain IP Address Using DHCP is selected.
5. Click Apply and Reboot .
Secondary Master Controller
The backup Local Mobility Switch (LMS) provides reliability and redundancy; however the functionality of a backup LMS is initiated only after an AP terminates on a controller successfully and retrieves the configuration.
If the AP boots up and fails to connect to the master controller the AP cannot be managed. To address this
ArubaOS 6.5.0.0 introduces the secondary master controller feature.
In a scenario where the master controller is not reachable, the AP will try to reach the secondary master controller and if successful will terminate on the secondary master. The secondary master details are not stored in the system flash when the AP is deployed for the first time, but only after a successful configuration.
An AP can use the secondary master controller feature after the AP reboots.
If an AP has not been configured to a controller after deployment the secondary master feature will not be applicable.
In the WebUI
To enable the secondary master controller feature:
1. Navigate to Configuration > Advanced services > All Profiles .
2. Click AP > AP System .
3. Select the AP profile for which the secondary master controller feature is to be enabled. The Profile Details section is displayed.
4. Navigate to the Basic > General tab.
5. Enter an IP or FQDN value for the secondary master controller in the Secondary Master IP/FQDN field.
708 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Figure 101 Profile Details
In the CLI
Execute the following command to enable the secondary master controller feature.
(host) (config) #ap system-profile <profile name>
(host) (AP system profile "profile name")#secondary-master <value>
Deploying a Branch/Home Office Solution
In a branch office, the AP is deployed in a separate IP network from the corporate network. Typically, there are one or two NAT devices between the two networks. Branch office users need access to corporate resources such as printers and servers, but traffic to and from these resources must not impact the corporate head office.
is a graphic representation of a remote AP in a branch or home office, with a single controller providing access to both a corporate WLAN and a branch office WLAN.
Figure 102 Remote AP with Single Controller
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 709
Branch office users want continued operation of the branch office WLAN, even if the link to the corporate network goes down. The branch office AP solves these requirements by providing the following capabilities on the branch office WLAN: n n n n
Local termination of 802.11 management frames which provides survivability of the branch office WLAN.
All 802.1X authenticator functionality is implemented in the AP. The controller is used as a RADIUS passthrough when the authenticator has to communicate with a RADIUS server (which also supports survivability).
802.11 encryption/decryption is in the AP to provide access to local resources.
Local bridging of client traffic connected to the WLAN or to an AP 70 enet1 port to provide access to local resources.
Provisioning the Branch AP
You can provision the remote AP either using the controller or using the Zero Touch Provisioning method. For more information on controller provisioning, see
Configuring Installed APs on page 542
. For more information on Zero Touch Provisioning, see
Provisioning 4G USB Modems on Remote Access Points on page 740 .
Configuring the Branch AP
n n n n n n
Specify forward mode for the Extended Service Set Identifier (ESSID) in the virtual AP profile
Specify remote AP operation in the virtual AP profile (The remote AP operates in standard mode by default.)
Set how long the AP stays up after connectivity to controller has gone down in the SSID profile
Set the VLAN ID in the virtual AP profile
Set the native VLAN ID in the AP system profile
Set forward mode for enet1 port
Remote APs support 802.1q VLAN tagging. Data from the remote AP will be tagged on the wired side.
Troubleshooting Remote AP
The following WebUI options are available to troubleshoot issues with remote AP: n n n n
Using local debugging feature
Viewing the remote AP summary report
Viewing remote AP connectivity report
Using remote AP diagnostic options
Local Debugging
Local debugging is a WebUI feature that allows end users to perform diagnostics and view the status of their remote AP through a wired or wireless client. This feature is useful for troubleshooting connectivity problems on remote APs and performing throughput tests. There are three tabs in the Local Debugging WebUI window; Summary , Connectivity , and Diagnostics . Each tab displays different information for the AP, but all three tabs include a Generate & save support file link that, when clicked, will automatically generate a support.tgz
file that can be sent to a corporate IT department for additional analysis and debugging.
A snapshot of the bridge, acl, session, user, and arp tables, current processes, memory, and kernel debug messages are captured in a single rap_debug.txt
file which is bundled along with support.tgz
file.
710 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Remote AP Summary
The Summary tab has two views; basic and advanced. Click the basic or advanced links at the top of this tab to toggle between the two views. The table below shows the information displayed for both the basic and advanced views of the Summary tab.
Table 159: RAP Console Summary Tab Information
Summary
Table Name
Wired Ports
Status
Basic View Information n n
Port : port numbers of the wired ports on the AP
Status : current status of each port
( Connected , LinkDown or Disabled ).
Advanced View Information
Wireless SSIDs
Wired Users n n n
SSID : Name of the SSID.
Status : SSID Status (up, down, or disabled).
Band : Radio band available on the
SSID.
n n
MAC Address : MAC address of the wired user.
IP address : IP address of the wired user.
The advanced view of the Wired Access
Ports table displays the following data: n n n
Port : port numbers of the wired ports on the AP
Status : current status of each port
( Connected , LinkDown or Disabled )
MAC Address: MAC address of the wired port n n
Speed : speed of the link
Duplex Type : duplex mode of the link, full or half n n n n
Forwarding mode : forwarding mode for the port: Bridge , Tunnel or Split Tunnel
Users : number of users accessing each port
Rx Packets : number of packets received on the port
Tx packets : number of packets transmitted via the port n n n n n n n n n n n
SSID : name of the SSID
Status : SSID Status (up, down, or disabled).
Band : radio band available on the SSID
Channel : channel used on the radio band
BSSID : BSSID of the wireless SSID
Forwarding Mode : forwarding mode used by the Wireless SSID (Bridge,
Tunnel or Split-Tunnel)
EIRP : equivalent Isotropic Radiated
Power, in dBm
Noise floor : residual background noise detected by an AP. Noise seen by an AP is reported as -dBm Therefore, a noise floor of -100 dBm is smaller (lower) than a noise floor of -50 dBm.
Users : number of users on the radio band
Rx Packets : number of packets received on the BSSID
Tx packets : number of packets transmitted via the BSSID n n n MAC Address : MAC address of the wired user.
IP address : IP address of the wired user.
Port : AP port used by the wired user.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 711
Summary
Table Name
Wireless User
Device Info
Uplink Info
Basic View Information Advanced View Information n n
MAC Address : MAC address of the wireless user.
IP address : IP address of the wireless user.
n n n n n n n n n
Type : AP device/model type.
Name : Name assigned to the AP.
Wired MAC address : MAC address of the wired port.
Serial # : AP serial number.
Tunnel IP address : IP address of the tunnel between the AP and controller.
Software Version : Software version currently running on the AP.
Uptime : Amount of time the AP has been active since it was last reset.
Master : IP address of the master controller.
lms : IP address of the local controller.
N/A
The Uplink Info table can display some or all of the following information for your remote AP, depending upon whether a link is active and the number of links supported by the AP.
Active uplink information, including: n
Interface name n n
Port speed
IP address
Standby link information, including: n Name (3G) n n n n n n
Device connected (yes/no)
Provisioned (yes/no)
IP address
Device
User
Password n n n n n n n n n
MAC Address : MAC address of the wired user
IP address : IP address of the wired user
SSID : name of the SSID
BSSID : BSSID of the wireless user
Assoc State : shows if the user is associated or just authorized
Auth : Type of authentication: WPA,
802.1X, none, open, or shared
Encryption : encryption type used by the wireless user
Band : radio band used by the wireless client
RSSI : Receive Signal Strength Indicator
(RSSI) value displayed in the output of this command represents signal strength as a signal to noise ratio.
N/A
Multihoming on remote AP (RAP)
You can uplink a RAP as an Ethernet or a USB based modem. These uplinks can be used as a backup link if the primary link fails. The uplink becomes active based on the order of priority configured on the RAP. The RAP switches back to the primary link when the primary connection is restored.
712 | Remote Access Points ArubaOS 6.5.3.x | User Guide
For information on provisioning the RAP using the USB based modem, see
Remote Access Points on page 740
.
Seamless failover from backup link to primary link on RAP
RAPs can failover from a backup link to a primary link without much disruption to traffic. Also the failover is performed only if the controller is reachable via the primary link.
Remote AP Connectivity
The information shown on the Connectivity tab will vary, depending upon the current status of the remote
AP. If a remote AP has been successfully provisioned and connected, it should display some or all of the information in
Table 160: RAP Console Connectivity Tab Information
Data
Uplink status
IP Information
Gateway Connectivity
TPM Certificates
Master Connectivity
LMS Connectivity
Description
Shows if the link connected failed. If the link is connected, the Uplink status also displays the name of the interface.
If the AP has successfully received an IP address, this data row will show the AP’s IP address, subnet mask, and gateway IP address.
If successful, this item also shows the percentage of packet loss for data received from the gateway.
If successful, the AP has a Trusted Platform Module (TPM) certificate.
Shows if the AP was able to connect to the master controller. This item also shows the IP address to which the AP attempted to connect, and, if the AP did connect successfully, the link used to connect to that controller.
Shows if the AP was able to connect to a local controller. This item also shows the IP address to which the AP attempted to connect, and, if the AP did connect successfully, the link used to connect to that controller.
The top of the Connectivity tab has a Refresh link that allows users to refresh the data on their screen.
Additional information at the bottom of this tab shows the date, time, and reason the remote AP last rebooted. The Reboot RAP Now button reboots the remote AP.
Remote AP Diagnostics
Use the Diagnostics tab to view log files, or run diagnostic tests that can help the IT department troubleshoot errors. Use the Reboot AP Now button at the bottom of the Diagnostic window to reboot the remote AP.
To run a diagnostic test on a remote AP:
1. Access the RAP console, and click the Diagnostics tab.
2. Click the Test drop-down list and select Ping , Traceroute, NSLookup , or Throughput .
The ping and traceroute tests require that you enter a network destination in the form of an IP address or fully-qualified domain name, and select either bridge or tunnel mode for the test.
The NSLookup diagnostic test requires that you enter a destination only. The throughput test checks the throughput of the link between the AP and the controller, and does not require any additional test configuration settings.
3. Click OK to start the test. The results of the test will appear in the Diagnostics window.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 713
To display log files in a separate browser window, click the logs drop-down list at the upper right corner of the
Diagnostics window, and select any of the log file name. The type of log files available will vary, depending upon your remote AP configuration.
n n n n n n n n
Enabling Remote AP Advanced Configuration Options
This section describes the following features designed to enhance your remote AP configuration:
Understanding Remote AP Modes of Operation on page 714
Working in Fallback Mode on page 716
Specifying the DNS Controller Setting on page 724
Backup Controller List on page 725
Configuring Remote AP Failback on page 726
Working with Access Control Lists and Firewall Policies on page 728
Understanding Split Tunneling on page 728
Provisioning Wi-Fi Multimedia on page 739
The information in this section assumes you have already configured the remote AP functionality, as described in
Configuring the Secure Remote Access Point Service on page 703
.
Understanding Remote AP Modes of Operation
summarizes the different remote AP modes of operation. You specify both the forward mode setting (which controls whether 802.11 frames are tunneled to the controller using GRE, bridged to the local
Ethernet LAN, or a combination thereof) and the remote AP mode of operation (when the virtual AP operates on a remote AP) in the virtual AP profile.
The column on the left of the table lists the remote AP operation settings. The row across the top of the table lists the forward mode settings. To understand how these settings work in concert, scan the desired remote AP operation with the forward mode setting, and read the information in the appropriate table cell.
The “all” column and row lists features that all remote AP operation and forward mode settings have in common regardless of other settings. For example, at the intersection of “all” and “bridge,” the description outlines what happens in bridge mode regardless of the remote AP mode of operation.
714 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Table 161: Remote AP Modes of Operation and Behavior
Remote AP
Operation
Setting
Forward Mode Setting all always all bridge
Management frames on the AP.
Frames are bridged between wired and wireless interfaces.
No frames are tunneled to the controller.
Station acquires its IP address locally from an external DHCP server.
split-tunnel
Management frames on the AP.
Frames are either
GRE tunneled to the controller to a trusted tunnel or
NATed and bridged on the wired interface according to user role and session
ACL.
Typically, the station obtains an
IP address from a
VLAN on the controller.
Typically, the AP has ACLs that forward corporate traffic through the tunnel and source
NAT the noncorporate traffic to the Internet.
Not supported Provides an SSID that is always available for local access.
ESSID is always up when the AP is up regardless of whether the controller is reachable.
Supports PSK
ESSID only.
SSID configuration stored in flash on AP.
all bridge split-tunnel tunnel
Frames are GRE tunneled to the controller to an untrusted tunnel.
100% of station frames are tunneled to the controller.
Not supported tunnel decrypt-tunnel
Management frames on the
AP.
Frames are always GRE tunneled to controller.
Not supported
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 715
Remote AP
Operation
Setting backup
Forward Mode Setting persistent standard
ESSID is only up when the controller is unreachable.
Supports PSK
ESSID only.
SSID configuration stored in flash on AP.
ESSID is up when the AP contacts the controller and stays up if connectivity is disrupted with the controller.
SSID configuration obtained from the controller.
Designed for
802.1X SSIDs.
Provides a backup SSID for local access only when the controller is unreachable.
Same behavior as standard, described below, except the ESSID is up if connectivity to the controller is lost.
ESSID is up only when there is connectivity with the controller.
SSID configuration obtained from the controller.
Behaves like a classic Aruba branch office AP.
Provides a bridged ESSID that is configured from the controller and stays up if there is controller connectivity.
Not supported
Not supported
Split tunneling mode
Not supported
Not supported
Not supported
Not supported
Classic Aruba thin AP operation
Decrypt tunnel mode
Working in Fallback Mode
The fallback mode (also known as backup configuration) operates the remote AP if the master controller or the configured primary and backup LMS are unreachable. The remote AP saves configuration information that allows it to operate autonomously using one or more SSIDs in local bridging mode, while supporting open association or encryption with PSKs. You can also use the backup configuration if you experience network connectivity issues, such as the WAN link or the central data center becoming unavailable. With the backup configuration, the remote site does not go down if the WAN link fails or the data center is unavailable.
You define the backup configuration in the virtual AP profile on the controller. The remote AP checks for configuration updates each time it establishes a connection with the controller. If the remote AP detects a change, it downloads the configuration changes.
The following remote AP backup configuration options define when the SSID is advertised (refer to
for more information): n n
Always—Permanently enables the virtual AP. Recommended for bridge SSIDs.
Backup—Enables the virtual AP if the remote AP cannot connect to the controller. This SSID is advertised until the controller is reachable. Recommended for bridge SSIDs.
716 | Remote Access Points ArubaOS 6.5.3.x | User Guide
n n
Persistent—Permanently enables the virtual AP after the remote AP initially connects to the controller.
Recommended for 802.1X SSIDs.
Standard—Enables the virtual AP when the remote AP connects to the controller. Recommended for
802.1X, tunneled, and split-tunneled SSIDs. This is the default behavior.
While using the backup configuration, the remote AP periodically retries its IPSec tunnel to the controller. If you configure the remote AP in backup mode, and a connection to the controller is re-established, the remote AP stops using the backup configuration and immediately brings up the standard remote AP configuration. If you configure the remote AP in always or persistent mode, the backup configuration remains active after the IPSec tunnel to the controller has been re-established.
Backup Configuration Behavior for Wired Ports
If the connection between the remote AP and the controller is disconnected, the remote AP will be exhibit the following behavior: n n n
All access ports on the remote AP will be moved to bridge forwarding mode ,irrespective of their original forwarding mode..
Clients will receive an IP address from the remote AP's DHCP server.
Clients will have complete access to Remote AP's uplink network. You cannot enforce or modify any access control policies on the clients connected in this mode.
This section describes the following topics: n n n
Configuring Fallback Mode on page 717
Configuring the DHCP Server on the Remote AP on page 719
Configuring Advanced Backup Options on page 721
Configuring Fallback Mode
To configure the fallback mode, you must: n n
Configure the AAA profile
Configure the virtual AP profile
Configuring the AAA Profile for Fallback Mode
In the WebUI
The AAA profile defines the authentication method and the default user role for unauthenticated users:
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add .
2. Enter the AAA profile name, then click Add .
3. Select the AAA profile that you just created: a. For Initial role , select the appropriate role (for example, “logon”).
b. For 802.1X Authentication Default Role , select the appropriate role (for example, “default”), then click Apply .
c. Under the AAA profile that you created, locate 802.1X Authentication Server Group , and select the authentication server group to use (for example “default”), then click Apply .
If you need to create an 802.1X authentication server group, select new from the 802.1X Authentication Server
Group drop-down list, and enter the appropriate parameters.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 717
d. Under the AAA profile that you created, locate 802.1X Authentication Profile, and select the profile to use (for example, “default”), then click Apply .
If you need to create an 802.1X authentication profile, select new from the 802.1X Authentication Profile dropdown list, and enter the appropriate parameters.
In the CLI
(host) (config) #aaa profile <name> initial-role <role> authentication-dot1x <dot1x-profile> dot1x-default-role <role> dot1x-server-group <group>
Configuring the Virtual AP Profile for Fallback Mode
In the WebUI l l
Set the remote AP operation to always , backup , or persistent .
Create and apply the applicable SSID profile.
The SSID profile for the backup configuration in always, backup, or persistent mode must be a bridge
SSID. When configuring the virtual AP profile, specify forward mode as bridge .
The SSID profile for the backup configuration in standard mode can be a bridge, tunnel, or split tunnel
SSID. When configuring the virtual AP profile, specify forward mode as bridge , tunnel , or split tunnel .
When creating a new virtual AP profile In the WebUI, you can also configure the SSID at the same time. For information about AP profiles, see
Understanding AP Configuration Profiles on page 530 .
1. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP
Specific tab. Click Edit for the AP group or AP name.
2. Under Profiles, select Wireless LAN , then Virtual AP .
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile, and click Add .
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.
a. In the Profile Details entry for the new virtual AP profile, go to the AAA Profile drop-down list and select the previously configured AAA profile (for example, logon ). The AAA Profile pop-up window appears.
b. To set the AAA profile and close the pop-up window, Click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. The SSID Profile pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile (for example, backup ).
e. Under Network, enter a name in the Network Name (SSID) field (for example, backup-psk ).
f. Under Security, select the network authentication and encryption methods (for example, wpa-psk-tkip, with the passphrase remote123 ).
g. To set the SSID profile and close the pop-up window, click Apply .
4. At the bottom of the Profile Details window, Click Apply .
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration parameters.
6. Under Profile Details, do the following: a. Make sure Virtual AP enable is selected.
718 | Remote Access Points ArubaOS 6.5.3.x | User Guide
b. From the VLAN drop-down menu, select the VLAN ID to use for the virtual AP profile.
c. From the Forward mode drop-down menu, select bridge .
d. From the Remote-AP Operation drop-down menu, select always , backup , or persistent . The default is standard. Click Apply .
In the CLI
(host) (config) #wlan ssid-profile <profile> essid <name> opmode <method> wpa-passphrase <string> (if necessary)
(host) (config) #wlan virtual-ap <name> ssid-profile <profile> vlan <vlan> forward-mode bridge aaa-profile <name> rap-operation {always|backup|persistent}
(host) (config) #ap-group <name> virtual-ap <name> or
(host) (config) #ap-name <name> virtual-ap <name>
Configuring the DHCP Server on the Remote AP
You can configure the internal DHCP server on the remote AP to provide an IP address for the backup SSID if the controller is unreachable. If configured, the remote AP DHCP server intercepts all DHCP requests and assigns an IP address from the configured DHCP pool.
To configure the remote AP DHCP server: n n n n n
Enter the VLAN ID for the remote AP DHCP VLAN in the AP system profile. This VLAN enables the DHCP server on the AP (also known as the remote AP DHCP server VLAN). If you enter the native VLAN ID, the
DHCP server is not configured and is unavailable.
Specify the DHCP IP address pool and netmask. The AP assigns IP addresses from the DHCP pool
192.168.11.0/24 by default, with an IP address range from 192.168.11.2 through 192.168.11.254. You can manually define the DHCP IP address pool and netmask based on your network design and IP address scheme.
Specify the IP address of the DHCP server, DHCP router, and the DHCP DNS server. The AP uses IP address
192.168.11.1 for the DHCP server, the DHCP router, and the DHCP DNS server by default.
Enter the amount of days the assigned IP address is valid (also known as the remote AP DHCP lease). The lease does not expire by default, which means the IP address is always valid.
Assign the VLAN ID for the remote AP DHCP VLAN to a virtual AP profile. When a client connects to that virtual AP profile, the AP assigns the IP address from the DHCP pool.
The following is a high-level description of the steps required to configure the DHCP server on the remote AP. The steps assume you have already created the virtual AP profile, AAA profile, SSID profile, and other settings for your remote AP operation (for information about the backup configuration, see
Configuring Fallback Mode on page 717 ).
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles , select AP to display the AP profiles.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 719
4. Select the AP system profile you want to modify.
5. Under Profile Details: a. At the LMS IP field, enter the LMS IP address.
b. At the Master controller IP address field, enter the master controller IP address.
c. At the Remote-AP DHCP Server VLAN field, enter the VLAN ID of the backup configuration virtual AP
VLAN.
d. At the Remote-AP DHCP Server ID field, enter the IP address for the DHCP server.
e. At the Remote-AP DHCP Default Router field, enter the IP address for the default DHCP router.
f. At the Remote-AP DHCP DNS Server list, enter an IP address in the field to right and click Add . You can add multiple IP addresses the same way. To delete an IP address, select an IP address from the list and click Delete .
g. Specify the DHCP IP address pool. This configures the pool of IP addresses from which the remote AP uses to assign IP addresses.
- At the Remote-AP DHCP Pool Start field, enter the first IP address of the pool.
- At the Remote-AP-DHCP Pool End field, enter the last IP address of the pool.
- At the Remote-AP-DHCP Pool Netmask field, enter the netmask.
h. At the Remote-AP DHCP Lease Time field, specify the amount of time the IP address is valid.
6. Click Apply .
7. Under Profiles , select Wireless LAN , then Virtual AP , then the virtual AP profile you want to configure.
8. Under Profile Details , at the VLAN drop-list, select the VLAN ID of the remote AP DHCP VLAN, click the left arrow to move the VLAN ID to the VLAN field, and click Apply .
In the CLI
Use the following commands:
(host) (config) #ap system-profile <name> lms-ip <ipaddr> master-ip <ipaddr> rap-dhcp-default-router <ipaddr> rap-dhcp-dns-server <ipaddr> rap-dhcp-lease <days> rap-dhcp-pool-end <ipaddr> rap-dhacp-pool-netmask <netmask> rap-dhcp-pool-start <ipaddr> rap-dhcp-server-id <ipaddr> rap-dhcp-server-vlan <vlan>
(host) (config) #wlan virtual-ap <name> ssid-profile <profile> vlan <vlan> forward-mode bridge aaa-profile <name> rap-operation {always|backup|persistent}
(host) (config) #ap-group <name> ap-system-profile <name> virtual-ap <name> or
(host) (config) #ap-name <name> ap-system-profile <name> virtual-ap <name>
720 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Configuring Advanced Backup Options
You can also use the backup configuration (fallback mode) to allow the remote AP to pass through a captive portal, such as network access in a hotel, airport, or other public network, to access the corporate network. For this scenario: n n
Define a session ACL for the bridge SSID to source NAT all user traffic, except DHCP. For example, use any any svc-dhcp permit followed by any any any route src-nat . Apply the session ACL to a remote AP user role.
Configure the AAA profile. Make sure the initial role contains the session ACL previously configured.
The AAA profile defines the authentication method and the default user role.
802.1X and PSK authentication is supported when configuring bridge or split tunnel modes.
n n n
Configure the virtual AP profile for the backup configuration: l l
Set the remote AP operation to always or backup .
Create and apply the applicable SSID profile.
l
Configure a bridge SSID for the backup configuration. In the virtual AP profile, specify forward mode as bridge .
For more information about the backup configuration, see
Configuring Fallback Mode on page 717
.
Enter the remote AP DHCP server parameters in the AP system profile. For more information about the parameters, see
Configuring the DHCP Server on the Remote AP on page 719
.
If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit traffic between clients without source NATing the traffic. Using the previously configured ACL, add user alias internal-network any permit before any any any route src-nat .
Connect the remote AP to the available public network (for example, a hotel or airport network).
The remote AP advertises the backup SSID so the wireless client can connect and obtain an IP address from the available DHCP server.
The client can obtain an IP address from the public network, for example a hotel or airport, or from the DHCP server on the remote AP.
After obtaining an IP address, the wireless client can connect and access the corporate network and bring up the configured corporate SSIDs.
The following is a high-level description of what is needed to configure the remote AP to pass through a captive portal and access the corporate controller. This information assumes you are familiar with configuring session
ACLs, AAA profiles, virtual APs, and AP system profiles and highlights the modified parameters.
Configuring the Session ACL
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select IPv4 Session .
5. To create the first rule: a. Under Rules , click Add .
b. Under Source , select any .
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 721
c. Under Destination , select any .
d. Under Service , select service . In the service drop-down list, select svc-dhcp .
e. Under Action , select permit .
f. Click Add .
6. To create the next rule: a. Under Rules , click Add .
b. Under Source , select any .
c. Under Destination , select any .
d. Under Service , select any .
e. Under Action , select route , and select the src-nat checkbox.
f. Click Add .
.
7. Click Apply .
If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit traffic between clients without source NATing the traffic. Add user alias internal-network any permit before any any any route src-nat .
8. Click the User Roles tab.
a. Click Add .
b. Enter the Role Name.
c. Click Add under Firewall Policies.
d. In the Choose from Configured Policies menu, select the policy you just created.
e. Click Done .
In the CLI
Use the following commands:
(host) (config) #ip access-list session <policy> any any svc-dhcp permit any any any route src-nat
If you use a local DHCP server to obtain IP addresses, you must define one additional ACL to permit traffic between clients without source NATing the traffic. Add user alias internal-network any permit before any any any route src-nat:
(host) (config) #user-role <role> session-acl <policy>
Configuring the AAA Profile
In the WebUI
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add .
2. Enter the AAA profile name, then click Add .
3. Select the AAA profile that you just created: a. For Initial role, select the user role you just created.
b. For 802.1X Authentication Default Role, select the appropriate role for your remote AP configuration, then click Apply .
722 | Remote Access Points ArubaOS 6.5.3.x | User Guide
c. Under the AAA profile that you created, locate 802.1X Authentication Server Group , and select the authentication server group to use for your remote AP configuration, then click Apply .
If you need to create an 802.1X authentication server group, select new from the 802.1X Authentication Server
Group drop-down list, and enter the appropriate parameters.
d. Under the AAA profile that you created, locate 802.1X Authentication Profile , select the profile to use for your remote AP configuration, then click Apply .
In the CLI
(host) (config) #aaa profile <name> initial-role <role>
You can define other parameters as needed.
Defining the Backup Configuration
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page. Select either the AP Group or AP
Specific tab. Click Edit for the AP group or AP name.
2. Under Profiles , select Wireless LAN , then Virtual AP .
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile, and click Add .
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.
a. In the Profile Details entry for the new virtual AP profile, go to the AAA Profile drop-down list and select the previously configured AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the pop-up window, Click Apply.
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. The SSID Profile pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network , enter a name in the Network Name (SSID) field.
f. Under Security , select the network authentication and encryption methods.
g. To set the SSID profile and close the pop-up window, click Apply .
4. At the bottom of the Profile Details window, Click Apply .
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration parameters.
6. Under Profile Details, do the following: a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID to use for the Virtual AP profile.
c. From the Forward mode drop-down menu, select bridge .
d. From the Remote-AP Operation drop-down menu, select always or backup .
e. Click Apply .
7. Under Profiles , select AP , then AP system profile .
8. Under Profile Details , do the following: a. Select the AP system profile to edit.
b. At the LMS IP field, enter the LMS IP address.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 723
c. At the Master controller IP address field, enter the master controller IP address.
d. Configure the Remote-AP DHCP Server fields.
e. Click Apply .
In the CLI
Use the following commands:
(host) (config) #wlan ssid-profile <profile> essid <name> opmode <method> wpa-passphrase <string> (if necessary)
(host) (config) #wlan virtual-ap <name> ssid-profile <profile> vlan <vlan> forward-mode bridge aaa-profile <name> rap-operation {always|backup}
(host) (config) #ap system-profile <name> lms-ip <ipaddr> master-ip <ipaddr> rap-dhcp-default-router <ipaddr> rap-dhcp-dns-server <ipaddr> rap-dhcp-lease <days> rap-dhcp-pool-end <ipaddr> rap-dhacp-pool-netmask <netmask> rap-dhcp-pool-start <ipaddr> rap-dhcp-server-id <ipaddr> rap-dhcp-server-vlan <vlan>
(host) (config) #ap-group <name> virtual-ap <name> ap-system-profile <name> or
(host) (config) #ap-name <name> virtual-ap <name> ap-system-profile <name>
Specifying the DNS Controller Setting
In addition to specifying IP addresses for controllers, you can also specify the master DNS name for the controller when provisioning the remote AP. The name must be resolved to an IP address when attempting to set up the IPSec tunnel. For information on how to configure a host name entry on the DNS server, refer to the vendor documentation for your server. It is recommended to use a maximum of 8 IP addresses to resolve a controller name.
If the remote AP gets multiple IP addresses responding to a host name lookup, the remote AP can use one of them to establish a connection to the controller. For more detailed information, see the next section
Specifying the name also lets you move or change remote AP concentrators without reprovisioning your APs.
For example, in a DNS load-balancing model, the host name resolves to a different IP address depending on the location of the user. This allows the remote AP to contact the controller to which it is geographically closest.
The DNS setting is part of provisioning the AP. The easiest way to provision an AP is to use the Provisioning page in the WebUI. These instructions assume you are only modifying the controller information in the Master
Discovery section of the Provision page.
724 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Reprovisioning the AP causes it to automatically reboot.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Installation > Provisioning page. Select the remote AP and click Provision .
2. Under Master Discovery enter the master DNS name of the controller.
3. Click Apply and Reboot .
For more information, see
.
Backup Controller List
Using DNS, the remote AP receives multiple IP addresses in response to a host name lookup. Known as the backup controller list, remote APs go through this list to associate with a controller. If the primary controller is unavailable or does not respond, the remote AP continues through the list until it finds an available controller.
This provides redundancy and failover protection.
The remote AP loses the IP address information received through DNS when it terminates and receives the system profile configuration from the controller. If the remote AP loses connectivity on the IPSec tunnel to the controller, the RAP fails over from the primary controller to the backup controller. For this scenario, add the IP address of the backup controller in the backup LMS and the IP address of the primary controller in the LMS field of the ap-system profile. Network connectivity is lost during this time. As described in the section
controller when it becomes available. To complete this scenario, you must also configure the LMS IP address and the backup LMS IP address.
For example, assume you have two data centers, data center 1 and data center 2, and each data center has one master controller in the DMZ. You can provision the remote APs to use the controller in data center 1 as the primary controller, and the controller in data center 2 as the backup controller. If the remote AP loses connectivity to the primary, it will attempt to establish connectivity to the backup. You define the LMS parameters in the AP system profile.
Figure 103 Sample Backup Controller Scenario
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 725
Configuring the LMS and backup LMS IP addresses
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details : a. At the LMS IP field, enter the primary controller IP address.
b. At the Backup LMS IP field, enter the backup controller IP address.
6. Click Apply .
In the CLI
(host) (config) #ap system-profile <profile> lms-ip <ipaddr> bkup-lms-ip <ipaddr>
(host) (config) #ap-group <group> ap-system-profile <profile>
(host) (config) #ap-name <name> ap-system-profile <profile>
Configuring Remote AP Failback
In conjunction with the backup controller list, you can configure remote APs to revert back (failback) to the primary controller if it becomes available. If you do not explicitly configure this behavior, the remote AP will keep its connection with the backup controller until the remote AP, controller, or both have rebooted or some type of network failure occurs. If any of these events occur, the remote AP will go through the backup controller list and attempt to connect with the primary controller.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles , select AP to display the AP profiles.
4. Select the AP system profile you want to modify.
5. Under Profile Details : a. Click LMS Preemption . This is disabled by default.
b. At the LMS Hold-down period field, enter the amount of time the remote AP must wait before moving back to the primary controller.
6. Click Apply .
In the CLI
Use the following commands:
(host) (config) #ap system-profile <profile> lms-preemption lms-hold-down period <seconds>
726 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Enabling RAP Local Network Access
You can enable local network access between the clients (from same or different subnets and VLANs) connected to a RAP through wired or wireless interfaces in split-tunnel/bridge forwarding modes. This allows the clients to effectively communicate with each other without routing the traffic via the controller. You can use WebUI or CLI to enable the local network access.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select the AP Group tab. Click Edit for the AP group or AP name.
3. Under Profiles , expand the AP menu, then select AP system profile .
4. To enable remote network access, select the Remote-AP Local Network Access check box.
Figure 104 Enable Remote AP Local Network Access
5. Click Apply .
In the CLI n
To enable, enter the following command: ap system-profile <ap-profile> rap-local-network-access n
To disable, enter the following command: ap system-profile <ap-profile> no rap-local-network-access
See the ArubaOS Command Line Reference Guide for detailed information on the command options.
Configuring Remote AP Authorization Profiles
Remote AP configurations include an authorization profile that specifies which profile settings should be assigned to a remote AP that has been provisioned but not yet authenticated at the remote site. These yetunauthorized APs are put into the temporary AP group authorization-group by default and assigned the predefined profile NoAuthApGroup . This configuration allows the user to connect to an unauthorized remote
AP via a wired port, then enter a corporate username and password. Once a valid user has authorized the AP, and it will be marked as authorized on the network. The remote AP will then download the configuration assigned to that AP by its permanent AP group.
In the WebUI
Adding or Editing a Remote AP Authorization Profile
To create a new authorization profile or edit an existing authorization profile via the WebUI:
1. Select Configuration > All Profiles . The All Profile Management window opens.
2. Select AP to expand the AP profile menu.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 727
3. Select AP Authorization Profile . The Profile Details pane appears and displays the list of existing AP authorization profiles.
n
To edit an existing profile, select a profile from the Profile Details pane.
n
To create a new authorization profile, enter a new profile name in the entry blank on the Profile Details pane, then click Add .
4. The Profile Details window will display the AP group currently defined for that authorization profile. To select a new AP group, click the drop-down list and select a different AP group name.
5. Click Apply .
In the CLI
To create a new authorization profile or edit an existing authorization profile via the command-line interface, access the command-line interface in enable mode, and issue the following commands.
(host) (config) #ap authorization-profile <profile> authorization-group <ap-group>
Working with Access Control Lists and Firewall Policies
Remote APs support the following access control lists (ACLs); unless otherwise noted, you apply these ACLS to user roles: n n n n
Standard ACLs—Permit or deny traffic based on the source IP address of the packet.
Ethertype ACLs—Filter traffic based on the Ethertype field in the frame header.
MAC ACLs—Filter traffic on a specific source MAC address or range of MAC addresses.
Firewall policies (session ACLs)—Identifies specific characteristics about a data packet passing through the
Aruba controller and takes some action based on that identification. You apply these ACLs to user roles or uplink ports.
To configure firewall policies, you must install the PEFNG license.
For more information about ACLs and firewall policies, see
Configuring Fallback Mode on page 717 .
Understanding Split Tunneling
The split tunneling feature allows you to optimize traffic flow by directing only corporate traffic back to the controller, while local application traffic remains local. This ensures that local traffic does not incur the overhead of the round trip to the controller, which decreases traffic on the WAN link and minimizes latency for local application traffic. This is useful for sites that have local servers and printers. With split tunneling, a remote user associates with a single SSID, not multiple SSIDs, to access corporate resources (for example, a mail server) and local resources (for example, a local printer). The remote AP examines session ACLs to distinguish between corporate traffic destined for the controller and local traffic.
728 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Figure 105 Sample Split Tunnel Environment
displays corporate traffic is GRE tunneled to the controller through a trusted tunnel and local traffic is source NATed and bridged on the wired interface based on the configured user role and session ACL.
Configuring Split Tunneling
The procedure to configure split tunneling requires the following steps. Each step is described in detail later in this chapter.
The split tunneling feature requires the PEFNG license. If you do not have the PEFNG license on your controller, you must install it before you configure split tunneling. For details on installing licenses, see
.
1. Define a session ACL that forwards only corporate traffic to the controller.
a. Configure a net destination for the corporate subnets.
b. Create rules to permit DHCP and corporate traffic to the corporate controller.
c. Apply the session ACL to a user role.
2. (Optional) Configure an ACL that restricts remote AP users from accessing the remote AP local debugging homepage.
3. Configure the remote AP’s AAA profile.
a. Specify the authentication method ( 802.1X
or PSK ) and the default user role for authenticated users.
The user role specified in the AAA profile must contain the session ACL defined in the previous step.
b. (Optional) Use the remote AP’s AAA profile to enable RADIUS accounting.
4. Configure the virtual AP profile: a. Specify which AP group or AP to which the virtual AP profile applies.
b. set the VLAN used for split tunneling. Only one VLAN can be configured for split tunneling; VLAN pooling is not allowed.
c. When specifying the use of a split tunnel configuration, use “split-tunnel” forward mode.
d. Create and apply the applicable SSID profile.
When creating a new virtual AP profile In the WebUI, you can also configure the SSID at the same time. For information about AP profiles, see
Understanding AP Configuration Profiles on page 530 .
5. (Optional) Create a list of network names resolved by corporate DNS servers.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 729
Configuring the Session ACL Allowing Tunneling
First you need to configure a session ACL that “permits” corporate traffic to be forwarded (tunneled) to the controller, and that routes, or locally bridges, local traffic.
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select Session .
5. From the IP Version drop-down list, select IPv4 or IPv6 .
6. To create the first rule: a. Under Rules, click Add .
b. Under Source, select any .
c. Under Destination, select any .
d. Under Service, select service . In the service drop-down list, select svc-dhcp .
e. Under Action, select permit forIPv4 or captive for IPv6.
f. Click Add .
7. To create the next rule: a. Under Rules, click Add .
b. Under Source, select any .
c. Under Destination, select alias .
The following steps define an alias representing the corporate network. Once defined, you can use the alias for other rules and policies. You can also create multiple destinations the same way.
8. Under the alias section, click New . Enter a name in the Destination Name field.
a. Click Add .
b. For Rule Type, select Network .
c. Enter the public IP address of the controller.
d. Enter the Network Mask/Range.
e. Click Add to add the network range.
f. Click Apply . The new alias appears in the Destination menu.
9. Under Destination , select the alias you just created.
10.Under
Service , select any .
11.Under
Action , select permit for IPv4 or captive for IPv6.
12.Click
Add .
13.To create the next rule: a. Under Rules , click Add .
b. Under Source , select user .
c. Under Destination , select any .
d. Under Service , select any .
e. Under Action , select route and check src-nat .
f. Click Add .
14.Click
Apply .
15.Click the User Roles tab.
730 | Remote Access Points ArubaOS 6.5.3.x | User Guide
a. Click Add to create and configure a new user role.
b. Enter the desired name for the role in the Role Name field.
c. Under Firewall Policies , click Add .
d. From the Choose from Configured Policies drop-down menu, select the policy you just configured.
e. Click Done .
16.Click
Apply .
In the CLI
(host) (config) #ap system-profile <profile> lms-preemption lms-hold-down period <seconds>netdestination <policy> network <ipaddr> <netmask> network <ipaddr> <netmask>
(host) (config) #ip access-list session <policy> any any svc-dhcp permit any alias <name> any permit user any any route src-nat
(host) (config) #user-role <role> session-acl <policy>
When defining the alias, there are a number of other session ACLs that you can create to define the handling of local traffic, such as:
(host) (config) #ip access-list session <policy> user alias <name> any redirect 0 user alias <name> any route user alias <name> any route src-nat
Configuring an ACL to Restrict Local Debug Homepage Access
A user in split or bridge role using a remote AP (RAP) can log on to the local debug (LD) homepage (for example,
( http://rapconsole.arubanetworks.com
) and perform a reboot or reset operations. The LD homepage provides various information about the RAP and also has a button to reboot the RAP. You can now restrict a RAP user from resetting or rebooting a RAP by using the localip keyword in the in the user role ACL.
You will require the PEFNG license to use this feature. See
for more information on licensing requirements.
Any user associated to that role can be allowed or denied access to the LD homepage. You can use the localip keyword in the ACL rule to identify the local IP address on the RAP. The localip keyword identifies the set of all local IP addresses on the system to which the ACL is applied. The existing keywords controller and mswitch indicate only the primary IP address on the controller.
This release of ArubaOS provides localip keyword support only for RAP and not for controller.
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
2. Click Add to create a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select IPv4 Session .
5. To create the first rule:
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 731
a. Under Rules , click Add .
b. Under Source , select localip .
c. Under Destination , select any .
d. Under Action , select permit .
e. Click Apply .
Figure 106 Enable Restricted Access to LD Homepage
In the CLI
Use the localip keyword in the user role ACL.
All users have an ACL entry of type any any deny by default. This rule restricts access to all users. When the
ACL is configured for a user role, if a user any permit
ACL rule is configured, add a deny ACL before that for localip for restricting the user from accessing the LD homepage.
Example:
(host) (config) #ip access-list session logon-control user localip svc-http deny user any permit
Configuring the AAA Profile for Tunneling
After you configure the session ACL, you define the AAA profile used for split tunneling. When defining the AAA parameters, specify the previously configured user role that contains the session ACL used for split tunneling.
If you enable RADIUS accounting in the AAA profile, the controller sends a RADIUS accounting start record to the RADIUS server when a user associates with the remote AP, and sends a stop record when the user logs out or is deleted from the user database. If you enable interim accounting, the controller sends updates at regular intervals. Each interim record includes cumulative user statistics, including received bytes and packets counters. For more information on RADIUS accounting, see
In the WebUI
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click
Add .
2. Enter the AAA profile name, then click Add .
3. Select the AAA profile that you just created.
a. For 802.1X Authentication Default Role , select the user role you previously configured for split tunneling, then click Apply .
b. Under the AAA profile that you created, locate 802.1X Authentication Server Group , and select the authentication server group to use, then click Apply .
4. (Optional) To enable RADIUS accounting:
732 | Remote Access Points ArubaOS 6.5.3.x | User Guide
a. Select the AAA profile from the profile list to display the list of authentication and accounting profiles associated with the AAA profile.
b. Select the Radius Accounting Server Group profile associated with the AAA profile. Click the RADIUS
Accounting Server Group drop-down list to select a RADIUS server group. (For more information on configuring a RADIUS server or server group, see
Configuring a RADIUS Server on page 180 .)
c. To enable RADIUS Interim Accounting, select the AAA profile name from the profile list, then click the
RADIUS Interim Accounting checkbox. This option is disabled by default, allowing the controller to send only start and stop messages to the RADIUS accounting server.
5. Click Apply .
If you need to create an authentication server group, select new and enter the appropriate parameters.
In the CLI
(host) (config) #aaa profile <name> authentication-dot1x <dot1x-profile> dot1x-default-role <role> dot1x-server-group <group> radius-accounting <group> radius-interim-accounting
Configuring the Virtual AP Profile
In the WebUI
1. Navigate to Configuration > Wireless > AP Configuration page. Select either the AP Group or AP
Specific tab. Click Edit for the applicable AP group name or AP name.
2. Under Profiles , select Wireless LAN , then Virtual AP .
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile, and click Add .
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.
a. In the Profile Details entry, go to the AAA Profile drop-down list and select the previously configured
AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the window, click Apply .
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. A pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network , enter a name in the Network Name (SSID) field.
f. Under Security , select the network authentication and encryption methods.
g. To set the SSID profile and close the window, click Apply .
4. Click Apply at the bottom of the Profile Details window.
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration parameters.
6. Under Profile Details : a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID for the VLAN to be used for split tunneling.
c. From the Forward mode drop-down menu, select split-tunnel .
d. Click Apply .
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 733
In the CLI
(host) (config) #wlan ssid-profile <profile> essid <name> opmode <method>
(host) (config) #wlan virtual-ap <profile> ssid-profile <name> forward-mode <mode>
(host) (config) # vlan <vlan id> aaa-profile <profile>
(host) (config) #ap-group <name> virtual-ap <profile> or
(host) (config) #ap-name <name> virtual-ap <profile>
Defining Corporate DNS Servers
Clients send DNS requests to the corporate DNS server address that it learned from DHCP. If configured for split tunneling, corporate domains and traffic destined for corporate use the corporate DNS server. For noncorporate domains and local traffic, other DNS servers can be used.
In the WebUI
1. Navigate to Configuration > Wireless > AP Configuration page.
2. Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. Under Profiles, select AP , then AP system profile .
4. Under Profile Details : a. Enter the corporate DNS servers.
b. Click Add .
The DNS name appears in Corporate DNS Domain list. You can add multiple names the same way.
5. Click Apply .
In the CLI
(host) (config) #ap system-profile <profile> dns-domain <domain name>
Understanding Bridge
The bridge feature allows you to route the traffic flow only to the internet and not to the corporate network.
Only the 802.1X authentication request is sent to the corporate network. This feature is useful for guest users.
ArubaOS does not support Wired 802.1X authentication in bridge mode for RAP and CAP. 802.1X authentication is supported only in tunnel and split modes.
734 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Figure 107 Sample Bridge Environment
displays the local traffic being routed to the internet and the 802.1X authentication request sent to the corporate network.
Configuring Bridge
To configure a bridge, perform the following steps. Each step is described in detail later in this chapter.
The bridge feature requires the PEFNG license. If you do not have the PEFNG license on your controller, you must install it before you configure bridge. For details on installing licenses, see
Software Licenses on page 78 .
1. Define a session ACL that routes the traffic.
a. Create rules to permit DHCP and local data traffic.
b. Apply the session ACL to a user role. For information about user roles and policies, see
Roles and Policies on page 381
.
2. Configure the remote AP’s AAA profile.
a. Specify the authentication method ( 802.1X
or PSK ) and the default user role for authenticated users.
The user role specified in the AAA profile must contain the session ACL defined in the previous step.
b. (Optional) Use the remote AP’s AAA profile to enable RADIUS accounting.
3. Configure the virtual AP profile: a. Specify the AP group or ap-name to which the virtual AP profile applies.
b. Set the VLAN in the virtual AP.
c. When specifying the use of a bridge configuration, use bridge forward mode.
d. Create and apply the applicable SSID profile.
e. (Optional) Under AP system profile, configure the RAP DHCP pool. RAP DHCP VLAN must be same as
VAP's VLAN. If the client needs to obtain from the RAP DHCP Server.
When creating a new virtual AP profile In the WebUI, you can simultaneously configure the SSID. For information about AP profiles, see
Understanding AP Configuration Profiles on page 530
.
Configuring the Session ACL
First you need to configure a session ACL that “permits” corporate traffic to be forwarded to the controller and that routes, or locally bridges, local traffic.
In the WebUI
1. Navigate to the Configuration > Security > Access Control > Policies page.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 735
2. Click Add to create a new policy.
3. Enter the policy name in the Policy Name field.
4. From the Policy Type drop-down list, select Session .
5. From the IP Version drop-down list, select IPv4 or IPv6 .
6. To create the first rule: a. Under Rules , click Add .
b. Under Source , select any .
c. Under Destination , select any .
d. Under Service , select service . In the service drop-down list, select svc-dhcp .
e. Under Action , select permit for IPv4 or captive for IPv6.
f. Click Add .
7. To create the next rule: a. a. Under Rules, click Add .
b. b. Under Source, select any .
c. c. Under Destination, select alias .
The following steps define an alias representing the corporate network. Once defined, you can use the alias for other rules and policies. You can also create multiple destinations the same way.
8. Under the alias section, click New . Enter a name in the Destination Name field.
a. Click Add .
b. For Rule Type, select Network .
c. Enter the public IP address of the controller.
d. Enter the Network Mask/Range.
e. Click Add to add the network range.
f. Click Apply . The new alias appears in the Destination menu.
9. Under Destination , select the alias you just created.
10.Under
Service , select any .
11.Under
Action , select permit for IPv4 or captive for IPv6.
12.Click
Add .
13.To create the next rule: a. Under Rules , click Add .
b. Under Source , select user .
c. Under Destination , select any .
d. Under Service , select any .
e. Under Action , select any and check src-nat .
f. Click Add .
14.Click
Apply .
15.Click the User Roles tab.
a. Click Add to create and configure a new user role.
b. Enter the desired name for the role in the Role Name field.
c. Under Firewall Policies , click Add .
d. From the Choose from Configured Policies drop-down menu, select the policy you just configured.
e. Click Done .
736 | Remote Access Points ArubaOS 6.5.3.x | User Guide
16.Click
Apply .
In the CLI
If dhcp server in ap system profile is enabled
(host) (config) #ip access-list session <policy> any any svc-dhcp permit
(host) (config) #user any any route src-nat
If dhcp server in ap system profile is disabled
(host) (config) #ip access-list session <policy>
(host) (config) #any any any permit
(host) (config) #user-role <role> session-acl <policy>
To configure an ACL to Restrict Local Debug Homepage Access, see
Configuring an ACL to Restrict Local Debug
Configuring the AAA Profile for Bridge
After you configure the session ACL, you define the AAA profile used for bridge. When defining the AAA parameters, specify the previously configured user role that contains the session ACL used for bridge.
If you enable RADIUS accounting in the AAA profile, the controller sends a RADIUS accounting start record to the RADIUS server when a user associates with the remote AP, and sends a stop record when the user logs out or is deleted from the user database. If you enable interim accounting, the controller sends updates at regular intervals. Each interim record includes cumulative user statistics, including received bytes and packets counters. For more information on RADIUS accounting, see
.
In the WebUI
1. Navigate to the Security > Authentication > AAA Profiles page. From the AAA Profiles Summary list, click Add .
2. Enter the AAA profile name, then click Add .
3. Select the AAA profile that you just created.
a. For 802.1X Authentication Default Role , select the user role you previously configured for split tunneling or bridge, then click Apply .
b. Under the AAA profile that you created, locate 802.1X Authentication Server Group , and select the authentication server group to use, then click Apply .
4. (Optional) To enable RADIUS accounting: a. Select the AAA profile from the profile list to display the list of authentication and accounting profiles associated with the AAA profile.
b. Select the Radius Accounting Server Group profile associated with the AAA profile. Click the RADIUS
Accounting Server Group drop-down list to select a RADIUS server group . (For more information on configuring a RADIUS server or server group, see
Configuring a RADIUS Server on page 180 .)
c. To enable RADIUS Interim Accounting , select the AAA profile name from the profile list, then click the RADIUS Interim Accounting checkbox. This option is disabled by default, allowing the controller to send only start and stop messages RADIUS accounting server.
5. Click Apply .
If you need to create an authentication server group, select new and enter the appropriate parameters.
In the CLI
Use the following command:
(host) (config) #aaa profile <name>
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 737
(host) (config) #authentication-dot1x <dot1x-profile>
(host) (config) #dot1x-default-role <role>
(host) (config) #dot1x-server-group <group>
(host) (config) #radius-accounting <group>
(host) (config) #radius-interim-accounting
Configuring Virtual AP Profile
In the WebUI
1. Navigate to Configuration > Wireless > AP Configuration page . Select either the AP Group or AP
Specific tab. Click Edit for the applicable AP group name or AP name.
2. Under Profiles , select Wireless LAN , then Virtual AP .
3. To create a new virtual AP profile in the WebUI, select New from the Add a profile drop-down menu. Enter the name for the virtual AP profile, and click Add .
Whenever you create a new virtual AP profile in the WebUI, the profile automatically contains the “default” SSID profile with the default ESSID. You must configure a new ESSID and SSID profile for the virtual AP profile before you apply the profile.
a. In the Profile Details entry, go to the AAA Profile drop-down list and select the previously configured
AAA profile. The AAA Profile pop-up window appears.
b. To set the AAA profile and close the window, click Apply .
c. In the Profile Details entry for the new virtual AP profile, select NEW from the SSID Profile drop-down menu. A pop-up window displays to allow you to configure the SSID profile.
d. Enter the name for the SSID profile.
e. Under Network , enter a name in the Network Name (SSID) field.
f. Under Security , select the network authentication and encryption methods.
g. To set the SSID profile and close the window, click Apply .
4. Click Apply at the bottom of the Profile Details window.
5. Click the new virtual AP name in the Profiles list or the Profile Details to display configuration parameters.
6. Under Profile Details : a. Make sure Virtual AP enable is selected.
b. From the VLAN drop-down menu, select the VLAN ID for the VLAN to be used for bridge.
c. From the Forward mode drop-down menu, select Bridge .
d. Click Apply .
In the CLI
Use the following command:
(host) (config) #wlan ssid-profile <profile> essid <name>
(host) (config) #opmode <method>
(host) (config) #wlan virtual-ap <profile>
(host) (config) #ssid-profile <name>
(host) (config) #forward-mode bridge
(host) (config) #vlan <vlan id>
(host) (config) #aaa-profile <profile>
(host) (config) #ap-group <name>
(host) (config) #virtual-ap <profile> or
738 | Remote Access Points ArubaOS 6.5.3.x | User Guide
(host) (config) #ap-name <name>
(host) (config) #virtual-ap <profile>
Provisioning Wi-Fi Multimedia
Wi-Fi Multimedia (WMM) is a Wi-Fi Alliance specification based on the IEEE 802.11e wireless Quality of Service
(QoS) standard. WMM works with 802.11a, b, g, and n physical layer standards. The IEEE 802.11e standard also defines the mapping between WMM access categories (ACs) and Differentiated Services Codepoint (DSCP) tags. Remote APs support WMM.
WMM supports four ACs: voice, video, best effort, and background. You apply and configure WMM in the SSID profile.
When planning your configuration, make sure that immediate switches or routers do not have conflicting
802.1p or DSCP configurations/mappings. If this occurs, your traffic may not be prioritized correctly.
Reserving Uplink Bandwidth
You can reserve and prioritize uplink bandwidth traffic to provide higher QoS for specific applications, traffic, or ports. This is done by applying bandwidth reservation on existing session ACLs. Typically, the bandwidth reservation is applied for uplink voice traffic.
Note the following before you configure bandwidth reservation: n n n n n n
You must know the total bandwidth available.
The bandwidth reservation are applicable only on session ACLs.
Bandwidth reservation on voice traffic ACLs receives higher priority over other reserved traffic.
You can configure up to three unique priority for bandwidth reservation.
The bandwidth reservation must be specified in absolute value (kbps).
Priorities for bandwidth reservation are optional, and bandwidth reservations without priorities are treated equal.
Understanding Bandwidth Reservation for Uplink Voice Traffic
The voice ACLs are applicable on the voice signaling traffic used to establish voice call through a firewall. When a voice ACL is executed, a dynamic session is introduced to allow voice traffic through the firewall. This prevents the re-use of voice ACLs for bandwidth reservation. However, you can create bandwidth reservation rules that can be applied on voice signaling traffic and ports used for voice data traffic. This mechanism filters traffic as per the security requirements.
Configuring Bandwidth Reservation
You can configure bandwidth reservation ACLs using the WebUI or the CLI.
In the WebUI
To configure bandwidth reservation
1. Navigate to Configuration > Advanced Services > All Profiles
2. Under Profiles , navigate to AP > AP System Profile . You can create a new AP system profile to configure bandwidth reservation or edit an existing AP system profile. Under the Profiles Details page, specify bandwidth reservation values.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 739
Figure 108 Uplink Bandwidth Reservation
In the CLI
(host) (config)#ap system-profile remotebw
(host) (AP system profile "remotebw") #rap-bw-total 1024
(host) (AP system profile "remotebw") #rap-bw-resv-1 acl voice 128 priority 1
To view bandwidth reservations:
(host) #show datapath rap-bw-resv ap-name remote-ap-1
Provisioning 4G USB Modems on Remote Access Points
ArubaOS provides support for 4G networks by allowing you to provision 4G USB modems on the RAP. You can also provision the RAP to support both 4G and 3G USB modems. This enables the RAP to choose the available network automatically. 4G takes precedence over 3G when the RAP tries to auto select the network. You can also configure the RAP to work exclusively on a 3G or 4G network. It is recommended that you provision the
USB modems for the RAP based on your network requirements.
4G USB Modem Provisioning Best Practices and Exceptions
n n n
RAP does not support dynamic plug-and-play for the 4G USB modems. You must provision a RAP with the
4G USB parameters on the controller manually based on its type and family (4G-WiMAX/4G-LTE).
When a RAP connects to a 4G network, it appears as a Remote AP (R) and Cellular (C) on the controller.
For a 3G/4G network switch, using the UML290 modem with the firmware version L0290VWB522F.242 or later is recommended. Using a lower version of the firmware auto-selects the network mode based on the network availability. The latest version allows the RAP to lock the modem in a particular network mode (for example, 3G only).
The 4G-WiMAX family of modems do not support the 3G-4G network switch-over functionality.
ArubaOS 6.3 includes a new method of provisioning multimode USB modems (such as a Verizon UML290,
Verizon MC551L, or AT&T 313u) for a remote AP. These changes simplify modem provisioning for both 3G and
4G networks. The modem configuration procedure in ArubaOS 6.2.0.x and earlier versions required that you define a driver for a 3G modem in the USB modem field under the AP provisioning profile, or define a driver for a 4G modem in the 4G USB type field. Starting with ArubaOS 6.3, you can configure drivers for both a 3G or a
4G modem using the USB field, and the 4G USB Type field is deprecated.
740 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Provisioning RAP for USB Modems
To enable 3G/4G network support, you must provision the RAP with the USB parameters on the controller.
You can use the WebUI or CLI to provision the USB parameters.
In the WebUI
1. Navigate to the Configuration > Wireless > AP Installation page.
2. Select the Provisioning tab.
3. Select an AP and click Provision .
4. Select the Yes option by Remote AP .
5. Under USB Settings , select the USB Parameters check box.
6. Click the Device drop-down list and select a USB modem device.
7. Click the Cellular NW Preferences drop-down list and select one of the following provisioning options.
Table 162: Cellular Network Preference Parameters
Parameter Description auto (default) In this mode, the modem firmware will control the cellular network service selection; so the cellular network service failover and fallback is not interrupted by the remote AP (RAP).
3g_only
4g_only advanced
Locks the modem to operate only in 3G .
Locks the modem to operate only in 4G .
The RAP controls the cellular network service selection based on an Received Signal
Strength Indication (RSSI) threshold-based approach.
n n n
Initially the modem is set to the default auto mode. This allows the modem firmware to select the available network.
The RAP determines the RSSI value for the available network type (for example 4G), checks whether the RSSI is within required range, and if so, connects to that network.
If the RSSI for the modem’s selected network is not within the required range, the RAP will then check the RSSI limit of an alternate network (for example, 3G), and reconnect to that alternate network. The RAP will repeat the above steps each time it tries to connect using a 4G multimode modem in this mode.
8. Click Apply and Reboot to reboot the RAP with the new configuration.
In the CLI
To enable 4G-exclusive network support on the RAP, execute the following commands:
(host) (config) #ap provisioning-profile <profile-name>
(host) (Provisioning profile "<profile-name>") usb-type <USB modem type>
(host) (Provisioning profile "<profile-name>") #usb-type none
(host) (Provisioning profile "<profile-name>") #cellular_nw_preference 4g_only
To enable 3G-exclusive network support on the RAP, execute the following commands:
(host) (config) #ap provisioning-profile <profile-name>
(host) (Provisioning profile "<profile-name>") usb-type <USB modem type>
(host) (Provisioning profile "<profile-name>") #usb-type none
(host) (Provisioning profile "<profile-name>") #cellular_nw_preference 3g_only
To enable 3G/4G network switch support, execute the following commands:
(host) (config) #ap provisioning-profile <profile-name>
(host) (Provisioning profile "<profile-name>") usb-type <USB modem type>
(host) (Provisioning profile "<profile-name>") #usb-type none
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 741
(host) (Provisioning profile "<profile-name>") #cellular_nw_preference auto
RAP 3G/4G Backhaul Link Quality Monitoring
The RAP is enhanced to support link monitoring on 2G, 3G, and 4G modems to provide information about the state of USB modem and cellular network.
The USB modem has the following four states: n n n n
Active - The USB modem is used as the primary path for connecting VPN to the controller
Standby or Backup - The network is available but the USB modem is not used for connecting VPN to the controller
Error - The USB modem is available but the modem is faulty
Not Plugged - The USB modem is unavailable
To view the USB modem details on the RAP, execute the following command:
(host) #show ap debug usb ap-name <ap-name>
Provisioning RAPs at Home
The following section provides information on provisioning your remote AP (RAP) at home using a static IP address, PPPoE connection, or USB modem.
Prerequisites
Follow the steps below to acquire a static IP address before provisioning the RAP at home:
1. Connect the RAP at the site of deployment and ensure that it has connectivity to the Internet to reach the controller.
2. Connect a laptop to Port 1 of the RAP to get an IP address from the RAP's internal DHCP pool.
Provisioning RAP Using Zero Touch Provisioning
You provision the RAP using provisioning wizard:
1. Navigate to the RAP configuration URL: http://rapconsole.arubanetworks.com
.
2. Enter the IP address or hostname of the controller.
3. Click the Show Advanced Settings link, shown in
Figure 109 Show Advanced Settings
4. In the Advanced Settings wizard, you can select one of the following: a.
Static IP —Select this tab to provision your RAP using a static IP address.
b.
PPPoE —Select this tab to provision your RAP on a PPPoE connection.
c.
USB —Select this tab to provision your RAP using 3G/EVDO USB modem.
742 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Provisioning the RAP using a Static IP Address
Select the Static IP tab and enter the required details. See
for information on parameters.
Figure 110 Provision RAP using Static IP
Table 163: Provision using Static IP
Parameter Description
IP Address
Netmask
Gateway
Primary DNS
Domain
Enter the static IP address that you want to configure for your remote access point.
Enter the network mask.
Enter the default gateway IP address of your network.
Enter the IP address of your primary DNS server. This is an optional parameter.
Enter your domain name. This is an optional parameter.
Click Save after you have entered all the details.
Provision the RAP on a PPPoE Connection
Select the PPPoE tab and enter the required details. See
for information on parameters.
Figure 111 Provision RAP on a PPPoE Connection
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 743
Table 164: Provision using PPPoE Connection
Parameter
Service Name
Description
Username
Password
Enter the PPPoE service name provided to you by your service provider. This parameter is optional.
Enter the user name for the PPPoE connection.
Enter your PPPoE password.
Click Save after you have entered all the details.
Using 3G/EVDO USB Modems
The following procedure illustrates provisioning your RAP using a 3G/EVDO USB modem.
1. Select the USB tab and select your modem from the drop down list. Configuration details automatically appear for some common modems.
Figure 112 Provision using a preconfigured USB Modem
2. If your modem name is not listed, select Other and manually enter the following details. These are available from the manufacturer of your modem or from your IT administrator:
744 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Figure 113 Provision using a USB Modem with Custom Settings n n n n n n
Device Type
Initializing String
PPP Username
PPP Password
TTY Device Path
Device Identifier n n
Dial String
Link Priority Cellular—This is a number that identifies the priority of the connection. If the Link Priority
Cellular has a higher number than Link Priority Ethernet , then cellular connection is used.
n
Link Priority Ethernet—This is a number that identifies the priority of the connection. If the Link Priority
Ethernet has a higher number than Link Priority Cellular , then Ethernet connection is used.
3. Click Save after you have entered all the details and click Continue to complete provisioning of your RAP.
Configuring RAP-3WN and RAP-3WNP Access Points
The ArubaRAP-3WN and RAP-3WNP are single-radio, single-band wireless APs that support the IEEE 802.11n
standard for high-performance WLAN. These APs use MIMO (Multiple-In, Multiple-Out) technology and other high-throughput mode techniques to deliver high-performance, 802.11n 2.4 GHz functionality while simultaneously supporting existing 802.11 b/g wireless services.
See the Aruba RAP-3WN Installation Guide for more information.
These access points require Aruba Instant 3.0 or later to operate as an Instant AP, or ArubaOS 6.1.4.0 or later to operate as a Remote AP.
The Power Sourcing Equipment (PSE) functionality is available only for RAP-3WNP APs, as the PoE itself provides the PSE functionality for RAP-3WN APs. You can use the WebUI or CLI to enable or disable the PSE functionality on the RAP-3WNP APs.
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 745
In the WebUI
1. Navigate to the Configuration > Advanced Services > All Profiles page.
2. Select the AP tab, then the AP Ethernet Link profile tab.
3. Select the default tab .
4. Select the Power over Ethernet checkbox.
5. Click Apply . Support for RAP-3WN and RAP-3WNP access points (APs)
In the CLI n
To enable, enter:
(host)(config) #ap enet-link-profile <name> poe n
To disable, enter:
(host)(config) #ap enet-link-profile <name> no poe
Use the following command to view the PoE port status on an AP:
(host) #show ap enet-link-profile default
Converting an IAP to RAP or CAP
For IAP to RAP or CAP conversion, the virtual controller sends the convert command to all the other IAPs. The virtual controller along with the other slave IAPs then set up a VPN tunnel to the remote controller, and download the firmware by FTP. The Virtual Controller uses IPsec to communicate to the controller over the internet.
A mesh point cannot be converted to RAP because mesh does not support VPN connection.
An IAP can be converted to a Campus AP and Remote AP only if the controller is running ArubaOS 6.1.4 or later.
The following table describes the supported IAP platforms and minimal AOS version for IAP to CAP/RAP conversion.
Converting IAP to RAP
To convert an IAP to RAP, follow the instructions below:
1. Navigate to the Maintenance tab in the top right corner of the Instant UI.
2. Click the Conver t tab.
3. Select Remote APs managed by a Controller from the drop-down list.
4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or
IP Address of Controller text box. This information is provided by your network administrator.
Ensure the Controller IP Address is reachable by the IAPs.
5. Click Convert Now to complete the conversion.
6. The IAP reboots and begins operating in RAP mode.
7. After conversion, the IAP is managed by the Aruba controller which has been specified in the Instant UI.
746 | Remote Access Points ArubaOS 6.5.3.x | User Guide
In order for the RAP conversion to work, ensure that you configure the Instant AP in the RAP white-list and enable the
FTP service on the controller.
If the VPN setup fails and an error message pops up, please click OK, copy the error logs and share them with your
Aruba support engineer.
Converting an IAP to CAP
To convert an IAP to a Campus AP, do the following:
1. Navigate to the Maintenance tab in the top right corner of the Instant UI.
2. Click the Convert tab.
3. Select Campus APs managed by a Controller from the drop-down list.
4. Enter the hostname (fully qualified domain name) or the IP address of the controller in the Hostname or
IP Address of Controller text box. This is provided by your network administrator.
Ensure that the Controller IP Address is reachable by the APs.
5. Click Convert Now to complete the conversion.
Enabling Bandwidth Contract Support for RAPs
This release of ArubaOS provides Bandwidth Contract support on remote APs. This is achieved by extending the Bandwidth Contract support on split-tunnel and bridge modes.
You can apply Bandwidth Contract for a RAP on a per-user or per-role basis. Bandwidth Contract is applied on a per-role basis by default. This implies that all the users belonging to the same role will share the bandwidth pool. When Bandwidth Contract configured on the controller is attached to a user-role, it automatically gets pushed to the RAPs terminating on it.
The following show commands have been enhanced in this release to retrieve the Bandwidth Contract information from the RAP: show datapath user ap-name <ap-name> show datapath bwm ap-name <ap-name>
Configuring Bandwidth Contracts for RAP
You can configure bandwidth contracts for RAP on a per-role or per-user basis. The following examples illustrate how to configure, apply, and verify the Bandwidth Contracts on the RAPs.
Defining Bandwidth Contracts
Use the following command to define a 256 Kbps contract:
(host) (config) #aaa bandwidth-contract 256k kbits 256
Use the following command to define a 512 Kbps contract
(host) (config) #aaa bandwidth-contract 512k kbits 512
Applying Contracts
You can apply the contract on a per-role or per-user basis.
Applying Contracts Per-Role
Use the following commands to apply the contracts on a per-role basis for upstream and downstream:
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 747
For upstream contract of 512 Kbps:
(host) (config) #user-role authenticated bw-contract 512k upstream
For downstream contract of 256 Kbps:
(host) (config) #user-role authenticated bw-contract 256k downstream
Applying Contracts Per-User
Use the following commands to apply the contracts on a per-user basis for upstream and downstream:
For upstream contract of 512 Kbps:
(host) (config) #user-role authenticated bw-contract 512k per-user upstream
For downstream contract of 256 Kbps:
(host) (config) #user-role authenticated bw-contract 256k per-user downstream
Verifying Contracts on AP
The following example displays the bandwidth contracts on AP for per-role configuration:
(host) #show datapath bwm ap-name rap5-2
Datapath Bandwidth Management Table Entries
-------------------------------------------
Flags: Q - No drop, P - No shape(Only Policed),
T - Auto tuned
--------------------------------------------------------------------
Rate: pps - Packets-per-second (256 byte packets), bps - Bits-per-second
--------------------------------------------------------------------
Cont Avail Queued/Pkts
Id Rate Policed Bytes Bytes Flags
---- --------- ---------- ------- ------------ -----
1
2
512000
256000
0
0
16000
8000
0/0
0/0
P
P
The following example displays the bandwidth contracts on AP for per-user configuration (contract IDs 3 and 4 are per-user contracts):
(host) #show datapath bwm ap-name rap5-2
Datapath Bandwidth Management Table Entries
-------------------------------------------
Flags: Q - No drop, P - No shape(Only Policed),
T - Auto tuned
--------------------------------------------------------------------
Avail Queued/Pkts
Id Rate Policed Bytes Bytes Flags
---- --------- ---------- ------- ------------ -----
3
4
1
2
512000
256000
512000
256000
300
277
0 16000
0
16000
8000
8000
0/0
0/0
0/0
0/0
P
P
P
P
Verifying Contracts Applied to Users
You can verify if the contracts are applied to the user after the user connects to the AP using CLI.
The following is a sample output for a per-role configuration:
(host) #show datapath user ap-name rap5-2
Datapath User Table Entries
---------------------------
748 | Remote Access Points ArubaOS 6.5.3.x | User Guide
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN
(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor, H - 1st DHCP sent to AUTH
FM(Forward Mode): S - Split, B - Bridge, N - N/A
IP MAC ACLs Contract Location Age Sessions Flags Vlan
------------------------------------- ---------------------------------
10.15.72.50
10.15.72.253
00:0B:86:61:12:AC
00:18:8B:A9:A8:DF
2703/0
52/0
0/0
1/2
0
0
16
1
1/65535
0/65535
P 0
1
192.168.11.1
10.15.196.249
FM IdleTMO
---------
00:0B:86:66:03:3F 2700/0
00:0B:86:66:03:3F 2700/0
0/0
0/0
0
0
20024 0/65535
3 1/65535
P
P
177
1
N 300
S 300
N 300
N 300
The following is a sample output for a per-user configuration:
(host) #show datapath user ap-name rap5-2
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN
(Visitor),
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user, I - Interim stats,
C - Inactive, D - Suppress Idle TMO, m - IP mobile user anchor, H - 1st DHCP sent to AUTH
FM(Forward Mode): S - Split, B - Bridge, N - N/A
FM IdleTMO
---------
N 300
S 300
N 300
N 300
Verifying Bandwidth Contracts During Data Transfer
You can verify the Bandwidth Contracts that are in use during data transfer using CLI.
The following is a sample output for a per-role configuration:
(host) #show datapath session ap-name rap5-2 table 10.15.72.99
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 749
r - Route Nexthop
A - Application Firewall Inspect
B - Permanent, O - Openflow
RAP Flags: 1 - Class 1, 2 - Class 2, 3 - Class 3
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination
-------------- -------------- ---- ----- -------- ---- --- --- -----------
10.15.72.253
10.15.72.99
6
10.15.72.253
10.15.72.99
10.15.72.99
10.15.72.253
6
6
10.15.72.99
10.15.72.253
6
5001 36092 1/1 0 0 0 dev12
3488 5001 1/1 0 0 0 dev5
5001 3488 1/2 0 0 0 dev5
36092 5001 1/2 0 0 0 dev12
TAge Packets Bytes Flags
---- ---------------------
6 --
6 --
6 --
6 --
--
--
--
--
C
C
C
The following is a sample output for a per-user configuration:
(host) #show datapath session ap-name rap5-2 table 10.15.72.99
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal r - Route Nexthop
A - Application Firewall Inspect
B - Permanent, O - Openflow
RAP Flags: 1 - Class 1, 2 - Class 2, 3 - Class 3
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination
-------------- ----------------- ----- -------- ---- --- --- -----------
10.15.72.253
10.15.72.99
10.15.72.99
10.15.72.253
6
6
3489
5001
5001
3489
1/3
1/4
0
0
0
0
0
0 dev5 dev5
10.15.72.99
10.15.72.253
10.15.72.253
6
10.15.72.99
6
36096 5001 1/4 0 0 0 dev12
5001 36096 1/3 0 0 0 dev12
TAge Packets Bytes Flags
---- ---------------------
37
37
--
--
--
--
FC
F
37
37
--
--
--
--
C
RAP TFTP Image Upgrade
Starting from ArubaOS 6.5, you can enable or disable the TFTP image upgrade on a RAP. This feature does not impact the campus APs. You can enable or disabled this feature using the WebUI or the CLI.
In the WebUI
The following WebUI procedure enables or disables the TFTP image upgrade on a RAP:
1. Navigate to Configuration > ADVANCED SERVICES > All Profiles .
2. In the Profiles section, expand AP > AP system .
3. Select the default ap system-profile.
750 | Remote Access Points ArubaOS 6.5.3.x | User Guide
4. In the Profile Details section, click the Advanced tab.
5. Select the Disable RAP Tftp Image Upgrade check box.
Note: Selecting the check box disables the TFTP image upgrade. Clearing the check box enables the TFTP image upgrade.
6. Click Apply .
In the CLI
The following commands enables or disables the TFTP image upgrade on a RAP:
(host) (config) #ap system-profile default
(host) (AP system profile "default") #[no] disable-tftp-image-upgrade
(host) (AP system profile "default") #write memory
The following command displays if the TFTP image upgrade is enabled or disabled in the AP system profile:
(host) #show ap system-profile default
AP system profile "default"
---------------------------
Parameter
---------
RF Band
RF Band for AM mode scanning
Native VLAN ID
Tunnel Heartbeat Interval
Session ACL
Corporate DNS Domain
Value
----g all
10
1 ap-uplink-acl
N/A
SNMP sysContact N/A
LED operating mode (11n/11ac APs only) normal
LED override
Driver log level
Disabled warnings
Console log level
SAP MTU
RAP MTU
LMS IP emergencies
N/A
1200 bytes
N/A
Backup LMS IP
LMS IPv6
Backup LMS IPv6
LMS Preemption
LMS Hold-down Period
LMS ping interval
Remote-AP DHCP Server VLAN
Remote-AP DHCP Server Id
Remote-AP DHCP Default Router
Remote-AP DHCP DNS Server
Remote-AP DHCP Pool Start
Remote-AP DHCP Pool End
Remote-AP DHCP Pool Netmask
Remote-AP DHCP Lease Time
Remote-AP uplink total bandwidth
Remote-AP bw reservation 1
Remote-AP bw reservation 2
Remote-AP bw reservation 3
Remote-AP Local Network Access
Bootstrap threshold
Double Encrypt
Dump Server
Heartbeat DSCP
Maintenance Mode
Maximum Request Retries
Request Retry Interval
N/A
N/A
N/A
Disabled
600 sec
20
N/A
192.168.11.1
192.168.11.1
N/A
192.168.11.2
192.168.11.254
255.255.255.0
0 days
0 kbps
N/A
N/A
N/A
Disabled
8
Disabled
N/A
0
Disabled
10
10 sec
ArubaOS 6.5.3.x
| User Guide Remote Access Points | 751
Number of IPSEC retries
Secondary Master IP/FQDN
AeroScout RTLS Server
RTLS Server configuration
85 exit
N/A
N/A
RTLS Server Compatibility Mode Enabled
Slow Timer Recovery by rebooting itself Disabled
Telnet
Disable RAP Tftp Image Upgrade
Enabled
Disabled
Spanning Tree
AP multicast aggregation
Enabled
Disabled
AP ARP attack protection Enabled
AP multicast aggregation allowed VLANs none
Console enable
AP Console Protection
AP Console Password
Password for Backup
AP USB Power override
RF Band for Backup
Operation for Backup
BLE Endpoint URL
BLE Auth Token
BLE Operation Mode
Enabled
Disabled
********
********
Disabled all off
N/A
N/A
Disabled
752 | Remote Access Points ArubaOS 6.5.3.x | User Guide
advertisement
Related manuals
advertisement