Controller Based WLANs

How does remote AP authorization profile works

The AP authorization-profile specifies which configuration should the remote AP download before it is authenticated at the remote site. By default  these yet-unauthorized APs are put into the temporary AP group authorization-group .This configuration allows a user to connect to an unauthorized remote AP via a wired port then enter a corporate username and password.

 

Once a valid user has authorized the remote AP, the AP will be permanently marked as authorized on the network and will will then download the configuration assigned to that AP by it's permanent AP group.

 

This Article applies to Aruba Controllers running ArubaOS version 5.0 and above.

 

Environment : Remote AP deployment

 

Network Topology : Controller and remote AP

 

When the remote AP comes up on the controller if AP authorization profile is configured on the group to which it is provisioned then it downloads the AP authorization group configuration instead of the provisioned group .Once the remote user authorize the AP by entering the corporate credentials using the captive portal then the AP downloads the provisioned group configuration.

(Master) #show whitelist-db rap


AP-entry Details
----------------
Name               AP-Group  AP-Name            Full-Name  Authen-Username  Revoke-Text  AP_Authenticated  Description  Date-Added                Enabled  Remote-IP
----               --------  -------            ---------  ---------------  -----------  ----------------  -----------  ----------                -------  ---------
00:24:6c:cd:56:72  default   00:24:6c:cd:56:72                                           Provisioned                    Mon Aug 11 08:32:58 2014  Yes      1.1.1.1

AP Entries: 1

(Master) #show ap-group default

AP group "default"
------------------
Parameter                                Value
---------                                -----
Virtual AP                               test
802.11a radio profile                    default
802.11g radio profile                    default
Ethernet interface 0 port configuration  default
Ethernet interface 1 port configuration  default
Ethernet interface 2 port configuration  shutdown
Ethernet interface 3 port configuration  shutdown
Ethernet interface 4 port configuration  shutdown
AP system profile                        default
VoIP Call Admission Control profile      default
802.11a Traffic Management profile       N/A
802.11g Traffic Management profile       N/A
Regulatory Domain profile                default
RF Optimization profile                  default
RF Event Thresholds profile              default
IDS profile                              default
Mesh Radio profile                       default
Mesh Cluster profile                     N/A
Provisioning profile                     N/A
AP authorization profile                 Authorization-profile

(Master) # show ap authorization-profile Authorization-profile

AP Authorization profile "default" (Predefined (editable))
----------------------------------------------------------
Parameter               Value
---------               -----
AP authorization group  NoAuthApGroup

(Master) #show ap-group NoAuthApGroup

AP group "NoAuthApGroup" (Predefined (changed))
-----------------------------------------------
Parameter                                Value
---------                                -----
Virtual AP                               N/A
802.11a radio profile                    default
802.11g radio profile                    default
Ethernet interface 0 port configuration  default
Ethernet interface 1 port configuration  Wired-captive-portal-profile
Ethernet interface 2 port configuration  NoAuthWiredPort
Ethernet interface 3 port configuration  NoAuthWiredPort
Ethernet interface 4 port configuration  NoAuthWiredPort
AP system profile                        default
VoIP Call Admission Control profile      default
802.11a Traffic Management profile       N/A
802.11g Traffic Management profile       N/A
Regulatory Domain profile                default
RF Optimization profile                  default
RF Event Thresholds profile              default
IDS profile                              default
Mesh Radio profile                       default
Mesh Cluster profile                     N/A
Provisioning profile                     N/A
AP authorization profile                 N/A

 

(Master) #show whitelist-db rap


AP-entry Details
----------------
Name               AP-Group  AP-Name            Full-Name  Authen-Username  Revoke-Text  AP_Authenticated  Description  Date-Added                Enabled  Remote-IP
----               --------  -------            ---------  ---------------  -----------  ----------------  -----------  ----------                -------  ---------
00:24:6c:cd:56:72  default   00:24:6c:cd:56:72                                           Provisioned                    Mon Aug 11 08:32:58 2014  Yes      1.1.1.1


The RAP will come up in R- flag

(Master) #show ap database

AP Database
-----------
Name               Group    AP Type  IP Address  Status      Flags  Switch IP     Standby IP
----               -----    -------  ----------  ------      -----  ---------     ----------
00:24:6c:cd:56:72  default  RAP-2WG  1.1.1.1     Up 15m:40s  R-c2   172.16.0.100  0.0.0.0

Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
       c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
       u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP
       M = Mesh node; Y = Mesh Recovery

Total APs:1


(Master) # show ap essid

ESSID Summary
-------------
ESSID  APs  Clients  VLAN(s)  Encryption
-----  ---  -------  -------  ----------
Num ESSID:0


Once the user authenticates using the captive portal page the state changes to Authenticated state

(Master) # show whitelist-db rap


AP-entry Details
----------------
Name               AP-Group  AP-Name            Full-Name  Authen-Username  Revoke-Text  AP_Authenticated  Description  Date-Added                Enabled  Remote-IP
----               --------  -------            ---------  ---------------  -----------  ----------------  -----------  ----------                -------  ---------
00:24:6c:cd:56:72  default   00:24:6c:cd:56:72            Test                         Authenticated                  Mon Aug 11 08:32:58 2014  Yes      1.1.1.1

AP Entries: 1



(Master) #show ap database

AP Database
-----------
Name               Group    AP Type  IP Address  Status      Flags  Switch IP     Standby IP
----               -----    -------  ----------  ------      -----  ---------     ----------
00:24:6c:cd:56:72  default  RAP-2WG  1.1.1.1     Up 15m:40s  Rc2  172.16.0.100  0.0.0.0


(Master) #show ap essid

ESSID Summary
-------------
ESSID  APs  Clients  VLAN(s)  Encryption
-----  ---  -------  -------  ----------
Test   1    0        1        WPA2 PSK AES
Num ESSID:1

Version History
Revision #:
1 of 1
Last update:
‎11-04-2014 12:53 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.