Controller Based WLANs

How to setup a controller using ZTP (Zero Touch Provisioning) on a MM in ArubaOS 8.x
Requirement:
  • Need an account in Activate and MD should be added in the Activate account.
  • MD should be able to get an IP address/DNS from a DHCP server.
  • MM and MD should have access to the internet (Ports: DNS and https) to contact Activate server (device.arubanetworks.com).

Starting from 8.x we can bring up  the 72xx, 70xx controllers as MD on a MM using Zero Touch Provision.  



Solution:
  1. Connect the last copper port of the controller (which will be pre-congiured on access vlan-4094 as dhcp-client) to the uplink switch/modem so that the MD can get IP address/DNS information. 
  2. MM uploads the certificate to Activate server using the Activate credentials provided to it. 
  3. MD establishes HTTPS connection with Activate server and obtains the information about MM (IP address of MM, node path, certificate). 
  4. MM gets the details about the MD from activate and white lists it. 
  5. MD establishes IPsec connection with MM. 



Configuration:

1. Once the device is added to Activate, set the mode of MD to "Managed Device.": 

 

2. Configure the rule "Managed Device to Master Controller" and provide the details about the MM. 

 

3. Configure the Activate credentials on MM. 

#activate
#whitelist-enable
#username "activate_username"
#password "password"

 



Verification

Once the MD has got IP address/DNS from DHCP server, it automatically contacts Activate and receives the MM information from Activate.

From the console logs of MD:

Received DHCP response, My IP = 10.17.168.30, Master = none, Country code = none
Master info not received from DHCP, trying activate
Received Activate response, My Role = md, Master  = 10.17.164.171, Master MAC = 00:50:56:9F:E7:A1, Hostname = ZTP-MD, Country code = US, Redundant Master MAC = none  VPN IP = none, VPN MAC = none, Redundant VPN MAC = none
Master = 10.17.164.171 auto-discovered from Activate
 

on the MM:

(Abdul-MM) [mynode] #show running-config | include local-custom 
Building Configuration...
local-custom-cert local-mac "00:0b:86:dd:4f:20" ca-cert factory-ca-cert server-cert self-signed-field-cert --> whitelist entry pushed from Activate. 

Note: Controller syncs regularly to get the whitelist details from Activate. If not, execute the command #activate sync

(Abdul-MM) [mynode] #show switches
All Switches
------------
IP Address     IPv6 Address  Name      Location          Type    Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------     ------------  ----      --------          ----    -----      -------        ------  -------------------  ----------------------  ---------
10.17.164.171  None          Abdul-MM  Building1.floor1  master  ArubaMM    8.0.1.0_57204  up      UPDATE SUCCESSFUL    0                       6
10.17.168.30   None          ZTP-MD    Building1.floor1  MD      Aruba7010  8.0.1.0_57204  up      UPDATE SUCCESSFUL    0                       6

Total Switches:2

(Abdul-MM) [mynode] #show activate

activate
--------
Parameter                                 Value
---------                                 -----
Activate Whitelist Service                Enabled
Activate URL                              https://activate.arubanetworks.com/
Provision Activate URL                    https://device.arubanetworks.com/
Activate Login Username                   rvincent
Activate Login Password                   ********
Periodic Interval for WhiteList Download  1
Add-Only Operation                        Enabled
Custom cert to upload to Activate         N/A
Server cert to be used for IPSEC          N/A
(Abdul-MM) [mynode] #
 

Version History
Revision #:
2 of 2
Last update:
‎03-29-2017 10:17 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.