02-06-2014 12:58 AM
I have a case where I need to setup two RAP3-WNs to work with (unsupported) 3G/4G modems, send them to world and have them connect to 650 Controller with VPN. I was thinking that I'd like to these work in IAP mode in case VPN cannot be established or somebody needs to tweak the modem settings locally. I'm new to IAP's and looking advices for VPN configuration. What I've done so far:
- Setup IAP WLAN to have Virtual Controller assigned IP's
- Configured VPN and whitelisted AP from controller. VPN status is UP
From Controller I can ping IP address of remote IAP, so I think VPN is OK. And I'm testing this now over wired internet, usb modem is not configured yet. I want to get VPN working before moving to USB.
The thing I cannot figure out, how do I configure IAP clients have their own subnet behind IAP NAT, where I make split tunnel to corporate network? I tried use the default network which IAP makes and make route in VPN settings but traffic to that network is not routed to VPN tunnel at all.
Solved! Go to Solution.
02-06-2014 01:30 AM
Some progress, I realized that I need to configure DHCP settings even if the IAP is offering something by default. So I created local DHCP and assigned that VLAN to SSID. Now I can ping controller-ip which is in destination subnet where I want to go. But still no access to other devices in that target subnet.
02-06-2014 12:05 PM
(Aruba650) #show iap table Branch Key Index Status Inner IP MAC Address Subnet ---------- ----- ------ -------- ----------- ------ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1 UP 172.17.0.11 00:0b:86:xx:xx:xx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 0 DOWN 0.0.0.0 00:0b:86:xx:xx:xx (Aruba650) #
For some reason same AP is listed two times. Subnet column is empty.
Controller firmware is 220.127.116.11
02-08-2014 02:43 PM
Ah, changin VC DHCP to distributed L3, a bit better:
(Aruba650) #show iap table Branch Key Index Status Inne r IP MAC Address Subnet ---------- ----- ------ ---- ---- ----------- ------ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1 UP 172. 17.0.13 00:0b:86:xx:xx:xx 172.16.1.64/27
And traffic is still blocked, but it seems that my client ip behind IAP is in logon role. But where I control that behaviour?
02-09-2014 05:58 AM
Create a VPN authentication profile for IAP and select the correct role in that profile (default will be default-vpn-role which will allow all traffic):
aaa authentication vpn "default-iap"
ACMX#255 | ACMP | ACCP | AWMP
02-09-2014 10:04 AM - edited 02-09-2014 10:50 AM
(Aruba650) #aaa authentication ? dot1x Show 802.1X Authentication Configuration stateful-dot1x Stateful 802.1X Authentication (Aruba650) #aaa authentication vpn ^ % Invalid input detected at '^' marker. (Aruba650) #
Am I missing something?
EDIT: Yes, configure terminal.Shouldn't wake up today..
02-09-2014 01:48 PM
AP+PEF is absolutely sufficient. PEFV(VIA) gives you additional role assignment options.
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
02-13-2014 04:15 AM
I checked on two different A650 Controllers one running 18.104.22.168 and another running 22.214.171.124. Neither has option to set default profile for VPN authentication, not in cli, not in gui. Only thing I can change is server-group. I tried to play with rules in server-group but that didn't change things.