01-17-2014 12:42 PM
>For Aruba Activate , is it for free to privde zero touch provisining ?
>As i understood , i will define my APs @ Aruba activate Mnually by Myself ?
>Then when APs powers up with Factory default it will contact Aruba Activate to get the IP of Configuration Server ( AirWave ) , right ?
>if i have setup of 6 Instant APs but want to tunnel all traffic to Centralized Controller at remote location , is this doable ?
Solved! Go to Solution.
01-17-2014 02:34 PM
You can assign your devices to folders within Activate and then apply provisioning rules to the folder.....including assigning AirWave or Aruba Central server or converting to campus or remote AP.
If you want to setup a VPN from the IAPs (IAP-VPN/RAP-NG) you'll need to provision against AirWave or Central to provide the configuration for that. Activate cannot do that alone.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
01-17-2014 06:19 PM
Sometimes your devices might already be seen on the Activate dashboard off of the purchase, if the same account is maintained since purchase. Else, you can manually add. To ensure you see the devices on the dashboard;
a) Verify that your IAP can reach out to the Internet;
b) Verify that your IAP firmware version is 22.214.171.124-126.96.36.199_37688
c) If your IAP has ever communicated with an Airwave or Activate instance in the past, please perform a factory_reset or "write erase all" and reboot the device.
d) Login to the IAP Web UI and verify that the Airwave Server IP under System>Admin is blank
With regards to creating a VPN tunnel from IAP to Controller, You can refer to the knowledge base article: https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/How-to-configure-basic-IAP-VPN-Controller-Configuration for quick details of IAP-VPN configuration.
For a client to connect to a RAPNG network, an SSID or wired ports on an IAP should be configured for the appropriate RAPNG mode of operation. The VLAN configuration in an SSID or wired port determines whether an SSID/wired port is configured for the RAPNG.
Airwave could be used to apply a sample configuration as follows:
- Find the the VC that you like for the "Golden Config" and click on the edit wrench and click "Import Settings".
- Navigate to Groups>List>Add and create a new group
- Click on the Group to Edit, Add a New Template
- Enter the VC that you imported settings and click fetch. This now serves as the golden template for all IAP's in this group.
Some screenshots for the above config as attached here.
[Please hit Kudos if my reply helps]
01-18-2014 01:56 AM
Thx , from the below KB , IAP traffic will be sent to Controller through VPN
Thsi means that i will be able to do all Processing on Controller ( Authentication , Firewalls , ... )
01-18-2014 03:53 PM - edited 01-18-2014 05:35 PM
Yes, we can pass all traffic including authentication to the Controller for a Single Data Center (one Controller) or Multiple Data Centers with one Controller in each, that can be used for redundancy of the IAP VPN tunnel. You may select Distributed L3 or Centralized L2 mode of operation on the IAP. For a deployment with Master-Standby Controller setup, we need to perform local authentication (at IAP end).
Also, note that the RADIUS and Airwave traffic from the IAP will carry the VPN-pool IP address that was assigned by the Controller to the IAP. To understand the different IAP modes of operation, this might be useful read: https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/What-are-the-IAP-VPN-modes
To tunnel all traffic from IAP to the Controller, the routing profile on the IAP should look like:
route 0.0.0.0 0.0.0.0 <Controller-IP>
For the Master-Standby deployment, we need to add a routing profile exception for radius server and Airwave IPs, since the design requirement for this solution requires local radius authentication at IAP:
route <radius server ip> 255.255.255.255 0.0.0.0
route <Airwave IP> 255.255.255.255 0.0.0.0
Also, we now have an option on the IAP to configure enterprise domain to tunnel all DNS queries matching that domain, to the client’s original DNS server without proxying on IAP.
Example1: Tunnell all DNS queries to the Controller:
Example2: To configure an enterprise domain to tunnel only DNS queries matching that domain Controller.
Hope this helps.
[Hit Kudos if you find the info useful]
08-19-2014 06:24 PM