mod12mbc-remote ap-zerotouch-6.3-v1.3

8/17/2019 Mod12MBC-Remote AP-ZeroTouch-6.3-v1.3

http://slidepdf.com/reader/full/mod12mbc-remote-ap-zerotouch-63-v13 1/28

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Aruba Bootcamp – Remote AP – ZeroTouch

12-1





12-2





12-3

The functionality between the RAP5 vs the Regular Campus AP is virtually nil. The RAP5 ismanufactured as Certificate RAPs. The other APs are manufactured as Campus APs but may bere-configured as a RAP AP





12-4

An administrator may want to pre-stage the RAPs even if Zero-Touch configuration is available.The administrator may decide to give out ready to go RAPs. These types of deployment wouldstart with connecting the RAP5 to the controller.

On the other hand IT can send out unprovisioned RAPs to the end user. The end user would then

have to do minimal config work to bring the AP on-line. 1) Connect Eth0 to their home router 2)

connect their laptop, wired, to Eth1 on the RAP. The RAP will provide DHCP to the wired client.

Launch a browser and it will be redirected to an internal Captive Portal page that asks the user toinput the IP address for the controller that the RAP will terminate on (IT will have to tell them) then

hit Continue. So long as the RAP configurations on the controller are correct –AND- IT has addedthe RAPs MAC to the Whitelist the RAP will connect.





12-5





12-6

In the RAP wizard the following configuration can be modified for the Remote AP:

• AP Group

• Internal DHCP on RAP

• Corporate DNS

• Wired ports

• Wired forwarding modes

• Port setting

•

Access Method

• WLAN for group

• Forwarding modes

• VLANs for WLAN

• Internal or Guest

• Encryption used





12-7





12-8

The RAP wizard allows for corporate DNS servers to be queried for specific domain names whichis necessary for internal domain queries when using split tunnel mode.





12-9

The next two screens of the RAP wizard allow wired ports to be configured and forwarding modesselected by port.





12-10

An administrator may want to pre-stage the RAPs even though no touch configuration is available.The administrator may decide to give out ready to go RAPs. These types of deployment wouldstart with connecting the RAP5s to the controller.





12-11





12-12





12-13

The controller contains separate whitelist databases for Campus and Remote APs.





12-14

The VPN address pool must be defined. This is the subnet for the VPN tunnel.

Once the remote AP is authenticated for the VPN and established a IPsec connection, it is

assigned a role. This role is a temporary role assigned to the AP until it completes the bootstrapprocess after which it inherits the ap-role. The appropriate ACLs need to be enabled to permittraffic from the controller to the AP and back to facilitate the bootstrap process.

To configure the user role, you first create a policy that permits the following traffic:

AP control traffic via the Aruba PAPI protocol

GRE tunnel traffic

TFTP traffic from the remote AP to the controller

FTP traffic from the remote AP to the controller





12-15





12-16





12-17





12-18





12-19

Regardless of the type of AP

RAP, CAP, Mesh..

The AP group determines the type of SSID that will be broadcasted by the AP.





12-20

It is necessary to specify the uplink bandwidth before configuring traffic classes because if theRAP uplink interface transmits at a higher rate than the internet uplink capacity the internet routerwill drop packets unpredictably. Therefore, even though the RAP transmits classified traffic

honoring the reservations configured, the receiving end will see a distortion in results.

If ethernet is higher priority than cellular, the feature disables by itself if the uplink is via cellular.

This means that the classification/reservation will no longer be done on the uplink. If ethernet

becomes active again, the feature turns on by itself.





12-21

(Master) (AP system profile “rap") #rap-bw-?

rap-bw-resv-1 Configure class 1 of RAP bw reservation



rap-bw-total Set the RAP uplink internet bandwidth in kilobits per second

(Master) (AP system profile “rap") #rap-bw-total 1024(Master) (AP system profile “rap") #rap-bw-resv-1 acl voice 512 priority 1





12-22

The RAP IPSEC tunnel is set up in 2 phases:

Phase 1:

A secured channel between RAP and the controller is established for phase 2negotiations to take place.

Two modes: main mode and aggressive mode.

Phase 2:

Completes the IPSEC connection.Security Associations (SAs) are negotiated to determine the encryption and

authentication algorithms to be used when sending user data.

The SA is identified by a unique SPI, which is also negotiated during Phase 2.

Two encapsulation modes: Tunnel and Transport.

Phase 2 is established in Quick mode ( 3 messages).





12-23





12-24

The RAP whitelist validates the remote AP when it is first activated and identifies the AP group towhich it should be assigned.





12-25

Recommendation: Ensure the temporary role contains at least the following rules

(MM800) #show ip access-list “VPN-role”

ip access-list session remoteap-acl

remoteap-acl

------------

Priority Source Destination Service Action TimeRange Log Expired Queue

-------- ------ ----------- ------- ------ --------- --- ------- -----1 any any svc-syslog permit Low

2 any any svc-ntp permit Low

3 any any svc-papi permit Low

4 any mswitch svc-tftp permit Low

5 any mswitch svc-ftp permit Low

6 any any svc-gre permit Low





12-26

If the client is having difficulty, he/she has the capability to run diagnostics





12-27

The client has the capability to run some diagnostics. The client also has the capability to save asupport file. By clicking on the “Save support file” a file will be saved on the clients laptop that canbe sent to support for analysis.

mod12mbc-remote ap-zerotouch-6.3-v1.3

Documents