Controllerless Networks

Reply
Occasional Contributor II
Posts: 16
Registered: ‎11-18-2007

Backup operation (Backup SSID) on RAPNG / IAP's

Hi All,

we are currently evaluating concepts to replace traditional RAP's with newer IAP models. And we also try to configure the IAP's to VPN to a controller sitting on the data center.

We managed to get it working quite the same like a traditional RAP as long as the connectivity on the IAP's site is fine, but is there any way to have an alternate configuration when the VPN link is down.

I've seen there are several options (on guest / captive portal SSID's) to 'disable' the SSID when a specific uplink type is in use, but it seems i only can trigger on the 'physical network link', but not if the VPN connection can be established or not.

Is there something like a "rap-operation backup" equivalent for IAP SSID's and something comparable for wired ports?

We have some locations where the internet connectivity is not very stable, so we want to setup a backup operation mode with an PSK SSID and open wired ports when the VPN Tunnel is down, and full 802.1x for wired and wireless if the tunnel is up. Any hints how to archive this on an IAP?

Thanks & Bye,
         Chris

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Backup operation (Backup SSID) on RAPNG / IAP's

Unfortunately, this is not available today.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 16
Registered: ‎11-18-2007

Re: Backup operation (Backup SSID) on RAPNG / IAP's

[ Edited ]

Hi Seth,

 

can you give me some information when this will be available?

 

Thanks & Bye,

      Chris

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Backup operation (Backup SSID) on RAPNG / IAP's

If you are doing 802.1x, in today's code, there is auth survivability for up to 24 hours when using Clearpass.  If you have clients already on the network (and the VPN is configured for split-tunneling), the users will STAY connected and be able to access the internet.

 

Would this be an option for you?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 16
Registered: ‎11-18-2007

Re: Backup operation (Backup SSID) on RAPNG / IAP's

Hi Seth,

 

i've stumbled over auth survivability, but i hadn't the time to dig into it. Maybe you can give me some short answers for some fundamental questions that came up:

- Will auth survivability cache entries 'survive' AP reboots? (usually, the areas having weak internet also often have power issues)

- Are role assignments also cached? (we use separate VLAN's and policies for Corporate, BYOD, Mobiles and manufactoring devices).

- Does it support all Authentication flavours (EAP-TLS, EAP-PEAP-TLS (very important for corporate devices) and EAP-PEAP-MSCHAPv2)?

 

Thanks & Bye,

      Chris

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Backup operation (Backup SSID) on RAPNG / IAP's


cniessner wrote:

Hi Seth,

 

i've stumbled over auth survivability, but i hadn't the time to dig into it. Maybe you can give me some short answers for some fundamental questions that came up:

- Will auth survivability cache entries 'survive' AP reboots? (usually, the areas having weak internet also often have power issues)

- Are role assignments also cached? (we use separate VLAN's and policies for Corporate, BYOD, Mobiles and manufactoring devices).

- Does it support all Authentication flavours (EAP-TLS, EAP-PEAP-TLS (very important for corporate devices) and EAP-PEAP-MSCHAPv2)?

 

Thanks & Bye,

      Chris


The survivability will NOT work after a reboot if Clearpass is still down

 

Role assignments are cached

 

It does support PEAP and TLS starting with IAP code 4.1

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: