Download - Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 1/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-1
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 2/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-2
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 3/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-3
The functionality between the RAP5 vs the Regular Campus AP is virtually nil. The RAP5 ismanufactured as Certificate RAPs. The other APs are manufactured as Campus APs but may bere-configured as a RAP AP
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 4/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-4
An administrator may want to pre-stage the RAPs even if Zero-Touch configuration is available.The administrator may decide to give out ready to go RAPs. These types of deployment wouldstart with connecting the RAP5 to the controller.
On the other hand IT can send out unprovisioned RAPs to the end user. The end user would then
have to do minimal config work to bring the AP on-line. 1) Connect Eth0 to their home router 2)
connect their laptop, wired, to Eth1 on the RAP. The RAP will provide DHCP to the wired client.
Launch a browser and it will be redirected to an internal Captive Portal page that asks the user toinput the IP address for the controller that the RAP will terminate on (IT will have to tell them) then
hit Continue. So long as the RAP configurations on the controller are correct –AND- IT has addedthe RAPs MAC to the Whitelist the RAP will connect.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 5/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-5
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 6/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-6
In the RAP wizard the following configuration can be modified for the Remote AP:
• AP Group
• Internal DHCP on RAP
• Corporate DNS
• Wired ports
• Wired forwarding modes
• Port setting
•
Access Method
• WLAN for group
• Forwarding modes
• VLANs for WLAN
• Internal or Guest
• Encryption used
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 7/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-7
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 8/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-8
The RAP wizard allows for corporate DNS servers to be queried for specific domain names whichis necessary for internal domain queries when using split tunnel mode.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 9/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-9
The next two screens of the RAP wizard allow wired ports to be configured and forwarding modesselected by port.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 10/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-10
An administrator may want to pre-stage the RAPs even though no touch configuration is available.The administrator may decide to give out ready to go RAPs. These types of deployment wouldstart with connecting the RAP5s to the controller.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 11/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-11
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 12/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-12
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 13/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-13
The controller contains separate whitelist databases for Campus and Remote APs.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 14/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-14
The VPN address pool must be defined. This is the subnet for the VPN tunnel.
Once the remote AP is authenticated for the VPN and established a IPsec connection, it is
assigned a role. This role is a temporary role assigned to the AP until it completes the bootstrapprocess after which it inherits the ap-role. The appropriate ACLs need to be enabled to permittraffic from the controller to the AP and back to facilitate the bootstrap process.
To configure the user role, you first create a policy that permits the following traffic:
AP control traffic via the Aruba PAPI protocol
GRE tunnel traffic
TFTP traffic from the remote AP to the controller
FTP traffic from the remote AP to the controller
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 15/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-15
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 16/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-16
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 17/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-17
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 18/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-18
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 19/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-19
Regardless of the type of AP
RAP, CAP, Mesh..
The AP group determines the type of SSID that will be broadcasted by the AP.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 20/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-20
It is necessary to specify the uplink bandwidth before configuring traffic classes because if theRAP uplink interface transmits at a higher rate than the internet uplink capacity the internet routerwill drop packets unpredictably. Therefore, even though the RAP transmits classified traffic
honoring the reservations configured, the receiving end will see a distortion in results.
If ethernet is higher priority than cellular, the feature disables by itself if the uplink is via cellular.
This means that the classification/reservation will no longer be done on the uplink. If ethernet
becomes active again, the feature turns on by itself.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 21/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-21
(Master) (AP system profile “rap") #rap-bw-?
rap-bw-resv-1 Configure class 1 of RAP bw reservation
rap-bw-resv-2 Configure class 2 of RAP bw reservation
rap-bw-resv-3 Configure class 3 of RAP bw reservation
rap-bw-total Set the RAP uplink internet bandwidth in kilobits per second
(Master) (AP system profile “rap") #rap-bw-total 1024(Master) (AP system profile “rap") #rap-bw-resv-1 acl voice 512 priority 1
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 22/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-22
The RAP IPSEC tunnel is set up in 2 phases:
Phase 1:
A secured channel between RAP and the controller is established for phase 2negotiations to take place.
Two modes: main mode and aggressive mode.
Phase 2:
Completes the IPSEC connection.Security Associations (SAs) are negotiated to determine the encryption and
authentication algorithms to be used when sending user data.
The SA is identified by a unique SPI, which is also negotiated during Phase 2.
Two encapsulation modes: Tunnel and Transport.
Phase 2 is established in Quick mode ( 3 messages).
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 23/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-23
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 24/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-24
The RAP whitelist validates the remote AP when it is first activated and identifies the AP group towhich it should be assigned.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 25/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-25
Recommendation: Ensure the temporary role contains at least the following rules
(MM800) #show ip access-list “VPN-role”
ip access-list session remoteap-acl
remoteap-acl
------------
Priority Source Destination Service Action TimeRange Log Expired Queue
-------- ------ ----------- ------- ------ --------- --- ------- -----1 any any svc-syslog permit Low
2 any any svc-ntp permit Low
3 any any svc-papi permit Low
4 any mswitch svc-tftp permit Low
5 any mswitch svc-ftp permit Low
6 any any svc-gre permit Low
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 26/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-26
If the client is having difficulty, he/she has the capability to run diagnostics
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 27/28
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Aruba Bootcamp – Remote AP – ZeroTouch
12-27
The client has the capability to run some diagnostics. The client also has the capability to save asupport file. By clicking on the “Save support file” a file will be saved on the clients laptop that canbe sent to support for analysis.
8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3
http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 28/28
Aruba Bootcamp – Remote AP – ZeroTouch