Controller Based WLANs

What is remote AP "BACKUP" operation mode, how to configure it and troubleshoot it?

Aruba Employee
The backup operation mode of the remote AP (also known as fallback mode) is a new feature since aruba AOS 3.2. When it is enabled, it will function when the AP's primary LMS or backup LMS is unreachable. This feature will be very useful when we are in an environment where we need to pay first for internet access, such as in a hotel, or when we experience network connectivity issues, such as the WAN link or the central data center becomes unavailable.
 
For example, nowadays, in most of the hotels, we are only able to access internet after we have paid via the hotel portal page. In this situation, we can bring up a remote AP with backup mode configured, although it can not reach the controller at the beginning, it will advertise the backup ssid and allow us to access the hotel portal page to pay via wireless. After obtaining the internet access, the remote AP will be able to reach the aruba controller and tear down the backup ssid and start advertising the corporate ssid as standard remote ap mode. By now, we should be able to work as if we are in office.
 
Configure backup RAP
 
The following is a sample configuration and the configuration procedure:
 

There are 6 key points for backup mode configuration: 

  • create a dummy vlan in the controller for the backup mode user

 

(config)#vlan 500 

There is no need to configure an IP address for this vlan interface 

 

  • configure this vlan as the Remote-AP DHCP server vlan 

    (config) #ap system-profile test-bridge 
    #rap-dhcp-server-vlan 500 

    (Aruba2400) #show ap system-profile test-bridge 
    AP system profile "test-bridge" 

    LMS IP N/A 
    Backup LMS IP N/A 
    ..... 
    Remote-AP DHCP Server VLAN 500 
    Heartbeat DSCP 0 
    ...... 

create the inital role for the backup ssid user and apply it to the aaa profile 

 

 

(config) #ip access-list session bridge-initial 
any any svc-dhcp permit 
any any any route src-nat 

"any any svc-dhcp permit" is to allow the user to get ip address from the RAP. 

"any any any route src-nat " will make sure all the user traffic being source NATed on the RAP uplink ethernet interface and guarantee the user 192.168.11.0 private ip addresses will never be leaked into the outside network. 

(config) #user-role bridge-initial 
session-acl bridge-initial 

When the RAP is in backup mode, it will function as an DHCP server and assign ip addresses from the static DHCP pool 192.168.11.0/24 for wireless users associated with the backup ssid. The ip addresses pool is within the range from 192.168.11.2 through 192.168.11.254. The RAP wireless interface ip is 192.168.11.1/24. Any RAP within backup mode will have the same DHCP address pool and the same wireless interface ip. 

(Aruba2400) # show aaa profile test-aaa-profile 

AAA Profile "test-aaa-profile" 
-------------------------------- 
Parameter Value 
--------- ----- 
Initial role bridge-initial 
MAC Authentication Profile N/A 
......... 

 

 

  • create a virtual ap with remote ap backup mode enabled, forward mode as bridge,and apply the vlan & aaa profile & ssid profile created in previous steps 

    wlan virtual-ap "test-bridge" 
    ssid-profile "test-bridge" 
    vlan 500 
    forward-mode bridge 
    aaa-profile "test-aaa-profile" 
    rap-operation backup 

    RAP backup operation mode can only work at bridge forward mode 

  • create an RAP ap-group which has a backup mode virtual ap & ap system profile created in previous steps applied 

    ap-group "test-bridge" 
    virtual-ap "test-bridge" 
    virutal-ap "corport-vap" 
    ap-system-profile "test-bridge" 

  • assign the RAP to the ap-group 

 

Troubleshoot backup RAP 

 

 

As backup RAP is running under bridge forward mode, there will not be any sessions in the controller. If there is any problem with backup RAP, we need to get into "Full access mode" of the AP itself, and use the command "apfcutil -r" to do the troubleshooting:

 

 

The most important thing we need to check is if the configuration of the backup RAP has been pushed into the RAP, ie, the intial role, the vlan, the rap operation mode, the forward mode

 

  • apfcutil -r vaps RAP - gives the number of offline vaps stored (num_offline_vaps)
  • apfcutil -i RAP - Clears the RAP sector, in case one wants to start afresh 
    x = the vap interested in. can vary from (0, ...... , num_offline_vaps-1) 
  • apfcutil -r 3x RAP - Gives the virtual profile parameters
  • apfcutil -r 3x+1 RAP - Gives the ssid profile parameters
  • apfcutil -r 3x+2 RAP - Gives other misc profile parameters

For example: 

~ # apfcutil -r 0 RAP 
vlan 500 
forward_mode bridge 
rap_operation backup 
...............


~ # apfcutil -r 1 RAP 
essid test-bridge 
opmode static-wep 
wpa2_preauth Disabled 
dtim_period 1 
a_basic_rates 6 12 24 
a_tx_rates 6 9 12 18 24 36 48 54 
g_basic_rates 1 2 
g_tx_rates 1 2 5 6 9 11 12 18 24 36 48 54 
ageout 1000 
max_retries 4 
rts_threshhold 2333 
..............


~ # apfcutil -r 2 RAP 
vapname test-bridge# 
......... 
country_code 0# 
channel 44# 
beacon_period 100# 
tx_power 60# 
wep_keys1 1234567890# 
............... 
acl 41# 
std_acl 0# 
acl_name bridge-initial# 
acl_count 3# 

 

In the controller: 

(Aruba2400) # show rights bridge-initial 
Derived Role = 'bridge-initial' 
ACL Number = 41/0 

1 any any svc-dhcp permit low 
2 any any any route src-nat low

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 07:54 AM
Updated by:
 
Labels (1)
Contributors
Comments
nvadekar

I have tried this before and had it working, however i am trying again using aos 6.4.3.6 and I am getting this error

 

Error processing command 'wlan virtual-ap "my-backup-vap_prof" aaa-profile "my-backup-aaa_prof"':Error: 802.1X is not supported on "backup" virtual APs..
 

every time i try and set my vap profile to use the aaa profile.  this error doesnt make sense to me.  I have setup the ssid for wpa2-aes-psk, the vap profile for forward mode bridge and rap-ap-operation backup.   it will not allow the virtual-ap in "backup" mode with the 802.1X Authentication Profile default-psk.   Any ideas?

 

the config is:

 

 

Virtual AP profile "my-backup-vap_prof"
---------------------------------------
Parameter Value
--------- -----
AAA Profile default
SSID Profile default
Virtual AP enable Enabled
VLAN 188
Forward mode bridge
Remote-AP Operation backup
WAN Operation mode always

 

 

AAA Profile "my-backup-aaa_prof"
--------------------------------
Parameter Value
--------- -----
Initial role my-backup
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile default-psk
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.