Configuring Remote Networking with Aruba RAP’s
These days i was busy with configuring a remote networking concept which was build with an Aruba Mobility Controller (MC) 3200. This is done in conjunction with RAP2WG remote access-points. This is a basic configuration of the Aruba RAP deployment.
As the procedure to setup the controller can be a little confusing, i decided to post the procedure on my weblog.
In short the following steps need to be done te get the RN setup working (basics);
1. configure the controller basics, e.g. IP address, vlans, trunks, etc.
2. define the aaa profile
3. define the ssid profile
4. define the virtual access-point profile (VAP)
5. define VPN settings
6. define provision profile
7. define AP group
8. whitelist the RAP’s
9. open firewall ports
10. provision the RAP’s (“zero touch”)
Well, let’s start with step 1: define the aaa profile. Al these things can be done through the GUI or the CLI of the MC. If you want, you can alter some settings if you want.
step 1: configure the controller basics such as IP address, gateway, vlans, etc.
A part of this step can be done by the initial configuration dialog which is showing up as you first boot the MC. Some others need to be done afterwards. I configured a vlan (11) in a DMZ zone of a firewall, and a vlan (60) where the wireless clients will be in. I use port Gi1/0 as a trunk to the coreswitch with only the vlans 11 and 60 allowed. I have created a loopback interface for the RAP’s to connect to.
This all is done by the following config;
clock timezone GMT 1
ip address 10.1.1.200
vlan 11 "dmz"
vlan 60 "wireless-clients"
interface gigabitethernet 1/0
switchport mode trunk
switchport trunk allowed vlan 11,60
interface vlan 1
ip address 172.16.0.254 255.255.255.0
interface vlan 11
ip address 10.1.1.199 255.255.255.0
ip default-gateway 10.1.1.1
step 2: defining aaa profile
aaa profile "wifi-aaa-profile"
step 3: define the ssid profile
I used WPA for encryption, but you can use the one you like.
wlan ssid-profile "wifi-ssid-profile"
step 4: define the virtual access-point profile (VAP)
Bind the aaa and ssid profiles together in the VAP profile and define the vlan.
wlan virtual-ap "my-vap-profile"
step 5: define the VPN settings for the RAP2WG’s (GUI)
The 3DES policy (priority 5 in this example) need to be added for the RAP2WG’s
A IP address pool need to be defined for the RAP2WG’s. These addresses need to be unique in the routing domain.
ip local pool "albron-aps" 10.10.10.1 10.10.10.10
vpdn group l2tp
ppp authentication PAP
step 6: define provisioning profile
ap provisioning-profile "my-provisioning-profile"
master "x.x.x.x" #public IP of the controller, or the NAT address of the firewall
step 7: define the AP group
In the AP group, the vap profile and the provisioning profile comes together.
step 8: whitelist the RAP’s
The new RAP’s need to be whitelisted (mac addresses) to be accepted by the MC. This can be done in the following part of the GUI. In this part, the RAP’s will be associated with the AP group “MyAPGroup”.
step 9: open firewall ports
Seen from the Internet, you only have to open port udp/4500 (IPSec NAT-T) to the MC.
step 10: provision the RAP
The final step is to provide the RAP with information; the IP address where the MC can be reached. This can be done by connecting a wired PC to E1 of the RAP2WG and port E0 to a regular Internet connection (modem or router). Now, as the RAP2WG has boot up (couple of minutes), open a browser on the wired PC and type in any URL. Now the RAP configuration screen shows up, and the IP address of the mobility controller has to be entered.
When this is done, the RAP2WG is connecting to the mobility controller and registers with it. After a couple of minutes, the RAP has rebooted again and is publishing the configured ESSID.