ArubaOS and Controllers

Reply
New Contributor
Posts: 1
Registered: ‎11-01-2011

Configure RAP - Basic Question

Hi,

Sorry for the newbie question. I am new to the Aruba. I have a controller with multiple local AP's. This part is working fine. We are trying a simple setup but that is kind of failing.

There are 2 SSID's Corporate and Guest. Both of them are on different VLAN and the Corp SSID is being forwarded to DHCP Server for the DHCP and the Controller is working as the DHCP for the Guest SSID.

We need to deploy RAP

These are the following steps i have taken

1. Create a 1:1 NAT on the firewall
2. Create the new group and whitelist the MAC of the RAP's
3. Broadcast the same 2 VLAN's on the RAP.

The configuration is as follows


ap-group "RAP"
virtual-ap "Guest-vap_prof"
virtual-ap "Corp-vap_prof"
enet1-port-profile "rap_enet_internal"
enet2-port-profile "rap_enet_internal"
enet3-port-profile "rap_enet_internal"
enet4-port-profile "rap_enet_internal"
provisioning-profile "Remote_AP_provision"
!
wlan virtual-ap "corp-vap_prof"
aaa-profile "corp-aaa_prof"
ssid-profile "corp-ssid_prof"
vlan 212
broadcast-filter arp
band-steering
!
wlan virtual-ap "Guest-vap_prof"
aaa-profile "Guest-aaa_prof"
ssid-profile "Guest-ssid_prof"
vlan 208
broadcast-filter arp
band-steering
!
interface vlan 212
ip address 10.x.x.20 255.255.252.0
ip helper-address 10.a.b.58
!
interface vlan 200
ip address 10.c.d.e 255.255.255.0
no ip routing
!
interface vlan 208
ip address 10.f.g.h 255.255.252.0
!

ap wired-ap-profile "rap_enet_port_profile_internal"
wired-ap-enable
switchport access vlan 212
trusted
no broadcast
!
ap wired-port-profile "rap_enet_internal"
wired-ap-profile "rap_enet_port_profile_internal"
!




The RAP is working, it is registering with the controller and the Guest SSID is working, How ever, the corp SSID is not, its not getting the IP address at all. The corp ssid needs a radius authentication.

The guest ssid also is kind of flaky. I have tried the corp ssid in bridge mode.


I also want to enable the split tunneling so that the traffic back to the corporate vlan comes encrypted. and the other traffic in the same ssid goes directly.

Thanks

Alok


P.S_ sorry for the long post
Guru Elite
Posts: 20,816
Registered: ‎03-29-2007

Re: Configure RAP - Basic Question


Hi,

Sorry for the newbie question. I am new to the Aruba. I have a controller with multiple local AP's. This part is working fine. We are trying a simple setup but that is kind of failing.

There are 2 SSID's Corporate and Guest. Both of them are on different VLAN and the Corp SSID is being forwarded to DHCP Server for the DHCP and the Controller is working as the DHCP for the Guest SSID.

We need to deploy RAP

These are the following steps i have taken

1. Create a 1:1 NAT on the firewall
2. Create the new group and whitelist the MAC of the RAP's
3. Broadcast the same 2 VLAN's on the RAP.

The configuration is as follows


ap-group "RAP"
virtual-ap "Guest-vap_prof"
virtual-ap "Corp-vap_prof"
enet1-port-profile "rap_enet_internal"
enet2-port-profile "rap_enet_internal"
enet3-port-profile "rap_enet_internal"
enet4-port-profile "rap_enet_internal"
provisioning-profile "Remote_AP_provision"
!
wlan virtual-ap "corp-vap_prof"
aaa-profile "corp-aaa_prof"
ssid-profile "corp-ssid_prof"
vlan 212
broadcast-filter arp
band-steering
!
wlan virtual-ap "Guest-vap_prof"
aaa-profile "Guest-aaa_prof"
ssid-profile "Guest-ssid_prof"
vlan 208
broadcast-filter arp
band-steering
!
interface vlan 212
ip address 10.x.x.20 255.255.252.0
ip helper-address 10.a.b.58
!
interface vlan 200
ip address 10.c.d.e 255.255.255.0
no ip routing
!
interface vlan 208
ip address 10.f.g.h 255.255.252.0
!

ap wired-ap-profile "rap_enet_port_profile_internal"
wired-ap-enable
switchport access vlan 212
trusted
no broadcast
!
ap wired-port-profile "rap_enet_internal"
wired-ap-profile "rap_enet_port_profile_internal"
!




The RAP is working, it is registering with the controller and the Guest SSID is working, How ever, the corp SSID is not, its not getting the IP address at all. The corp ssid needs a radius authentication.

The guest ssid also is kind of flaky. I have tried the corp ssid in bridge mode.


I also want to enable the split tunneling so that the traffic back to the corporate vlan comes encrypted. and the other traffic in the same ssid goes directly.

Thanks

Alok


P.S_ sorry for the long post




1 - Please remove the provisioning profile from the RAP ap-group.
2 - Why do you have "no ip routing" on VLAN 200?
3 - There are split tunneling directions in the ArubaOS user guide, but you probably need to fix your RAP WLAN issue first before configuring that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: