How do I configure a RAP to connect only from specific subnets?

Aruba Employee

Product and Software: This article applies to all Aruba controllers running ArubaOS 3.x or later.

Normally, controller has the crypto set up like this:
crypto isakmp key "somekeys" address 0.0.0.0 netmask 0.0.0.0

This set up means the controller will accept IPsec connections from anywhere. Generally the remote AP (RAP) needs this configuration to connect since it will be connected from the user's SOHO where the IP address is not statically configured. (User receives an IP address using DCHP from their cable or DSL provider.)

However, the RAP could also be deployed in the campus to increase security or to traverse NAT device. In this case, the customer might want to allow the RAP to connect from specific subnets only. So if a RAP is moved to any other location (maybe the user takes the RAP home or it got stolen), it will not be able to connect.

 

To configure a RAP to connect only from specific subnets, use any of these methods:

 

  • Configure the RAP with static IP that has significance only inside the campus/company. This way, if a RAP is moved to other locations, the AP will not be able to connect.
  • Configure the internal private IP of the controller as the LMS-IP in the AP system profile. This way, the RAP will be able to establish the IPSec tunnel to the controller only when on the campus/corporate network. But, if the same RAP is placed on a network outside the campus/company it will fail to establish the IPSec tunnel on the LMS.
  • Configure a different crypto key for the specific subnet.
    For example: crypto isakmp key "different key" address 10.10.10.0 netmask 255.255.255.0

    Then provision the AP using the same key configured in the previous step. This set up allows the RAP to connect only from 10.10.10.0/24 subnet.
Version history
Revision #:
1 of 1
Last update:
‎06-30-2014 05:41 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: