The AP authorization-profile specifies which configuration should the remote AP download before it is authenticated at the remote site. By default these yet-unauthorized APs are put into the temporary AP group authorization-group .This configuration allows a user to connect to an unauthorized remote AP via a wired port then enter a corporate username and password.
Once a valid user has authorized the remote AP, the AP will be permanently marked as authorized on the network and will will then download the configuration assigned to that AP by it's permanent AP group.
This Article applies to Aruba Controllers running ArubaOS version 5.0 and above.
Environment : Remote AP deployment
Network Topology : Controller and remote AP
When the remote AP comes up on the controller if AP authorization profile is configured on the group to which it is provisioned then it downloads the AP authorization group configuration instead of the provisioned group .Once the remote user authorize the AP by entering the corporate credentials using the captive portal then the AP downloads the provisioned group configuration.
(Master) #show whitelist-db rap
AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
00:24:6c:cd:56:72 default 00:24:6c:cd:56:72 Provisioned Mon Aug 11 08:32:58 2014 Yes 1.1.1.1
AP Entries: 1
(Master) #show ap-group default
AP group "default"
------------------
Parameter Value
--------- -----
Virtual AP test
802.11a radio profile default
802.11g radio profile default
Ethernet interface 0 port configuration default
Ethernet interface 1 port configuration default
Ethernet interface 2 port configuration shutdown
Ethernet interface 3 port configuration shutdown
Ethernet interface 4 port configuration shutdown
AP system profile default
VoIP Call Admission Control profile default
802.11a Traffic Management profile N/A
802.11g Traffic Management profile N/A
Regulatory Domain profile default
RF Optimization profile default
RF Event Thresholds profile default
IDS profile default
Mesh Radio profile default
Mesh Cluster profile N/A
Provisioning profile N/A
AP authorization profile Authorization-profile
(Master) # show ap authorization-profile Authorization-profile
AP Authorization profile "default" (Predefined (editable))
----------------------------------------------------------
Parameter Value
--------- -----
AP authorization group NoAuthApGroup
(Master) #show ap-group NoAuthApGroup
AP group "NoAuthApGroup" (Predefined (changed))
-----------------------------------------------
Parameter Value
--------- -----
Virtual AP N/A
802.11a radio profile default
802.11g radio profile default
Ethernet interface 0 port configuration default
Ethernet interface 1 port configuration Wired-captive-portal-profile
Ethernet interface 2 port configuration NoAuthWiredPort
Ethernet interface 3 port configuration NoAuthWiredPort
Ethernet interface 4 port configuration NoAuthWiredPort
AP system profile default
VoIP Call Admission Control profile default
802.11a Traffic Management profile N/A
802.11g Traffic Management profile N/A
Regulatory Domain profile default
RF Optimization profile default
RF Event Thresholds profile default
IDS profile default
Mesh Radio profile default
Mesh Cluster profile N/A
Provisioning profile N/A
AP authorization profile N/A
(Master) #show whitelist-db rap
AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
00:24:6c:cd:56:72 default 00:24:6c:cd:56:72 Provisioned Mon Aug 11 08:32:58 2014 Yes 1.1.1.1
The RAP will come up in R- flag
(Master) #show ap database
AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
00:24:6c:cd:56:72 default RAP-2WG 1.1.1.1 Up 15m:40s R-c2 172.16.0.100 0.0.0.0
Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP
M = Mesh node; Y = Mesh Recovery
Total APs:1
(Master) # show ap essid
ESSID Summary
-------------
ESSID APs Clients VLAN(s) Encryption
----- --- ------- ------- ----------
Num ESSID:0
Once the user authenticates using the captive portal page the state changes to Authenticated state
(Master) # show whitelist-db rap
AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
00:24:6c:cd:56:72 default 00:24:6c:cd:56:72 Test Authenticated Mon Aug 11 08:32:58 2014 Yes 1.1.1.1
AP Entries: 1
(Master) #show ap database
AP Database
-----------
Name Group AP Type IP Address Status Flags Switch IP Standby IP
---- ----- ------- ---------- ------ ----- --------- ----------
00:24:6c:cd:56:72 default RAP-2WG 1.1.1.1 Up 15m:40s Rc2 172.16.0.100 0.0.0.0
(Master) #show ap essid
ESSID Summary
-------------
ESSID APs Clients VLAN(s) Encryption
----- --- ------- ------- ----------
Test 1 0 1 WPA2 PSK AES
Num ESSID:1