Controllerless Networks

Reply
obi
Contributor II

Instant AP VPN -> Controller

I have a case where I need to setup two RAP3-WNs to work with (unsupported) 3G/4G modems, send them to world and have them connect to 650 Controller with VPN. I was thinking that I'd like to these work in IAP mode in case VPN cannot be established or somebody needs to tweak the modem settings locally. I'm new to IAP's and looking advices for VPN configuration. What I've done so far:

 

- Setup IAP WLAN to have Virtual Controller assigned IP's

- Configured VPN and whitelisted AP from controller. VPN status is UP

 

From Controller I can ping IP address of remote IAP, so I think VPN is OK. And I'm testing this now over wired internet, usb modem is not configured yet. I want to get VPN working before moving to USB. 

 

The thing I cannot figure out, how do I configure IAP clients have their own subnet behind IAP NAT, where I make split tunnel to corporate network? I tried use the default network which IAP makes and make route in VPN settings but traffic to that network is not routed to VPN tunnel at all.

obi
Contributor II

Re: Instant AP VPN -> Controller

Some progress, I realized that I need to configure DHCP settings even if the IAP is offering something by default. So I created local DHCP and assigned that VLAN to SSID. Now I can ping controller-ip which is in destination subnet where I want to go. But still no access to other devices in that target subnet. 

Re: Instant AP VPN -> Controller

What version are you running on the controller side?

 

Can you see the assigned subnet in the controller in "show iap table"?


ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP
www.securelink.nl
obi
Contributor II

Re: Instant AP VPN -> Controller

(Aruba650) #show iap table

Branch Key                                             Index     Status     Inner IP        MAC Address             Subnet
----------                                             -----     ------     --------        -----------             ------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     1         UP         172.17.0.11     00:0b:86:xx:xx:xx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     0         DOWN       0.0.0.0         00:0b:86:xx:xx:xx

(Aruba650) #

 

For some reason same AP is listed two times. Subnet column is empty. 

 

Controller firmware is 6.2.1.3

obi
Contributor II

Re: Instant AP VPN -> Controller

Ah, changin VC DHCP to distributed L3, a bit better:

 

(Aruba650) #show iap table

Branch Key                                             Index     Status     Inne                                                         r IP        MAC Address             Subnet
----------                                             -----     ------     ----                                                         ----        -----------             ------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     1         UP         172.                                                         17.0.13     00:0b:86:xx:xx:xx       172.16.1.64/27

 

And traffic is still blocked, but it seems that my client ip behind IAP is in logon role. But where I control that behaviour?

Re: Instant AP VPN -> Controller

Create a VPN authentication profile for IAP and select the correct role in that profile (default will be default-vpn-role which will allow all traffic):

 

aaa authentication vpn "default-iap"

!


ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP
www.securelink.nl
obi
Contributor II

Re: Instant AP VPN -> Controller

(Aruba650) #aaa authentication ?
dot1x                   Show 802.1X Authentication Configuration
stateful-dot1x          Stateful 802.1X Authentication

(Aruba650) #aaa authentication vpn
                               ^
% Invalid input detected at '^' marker.

(Aruba650) #

 Am I missing something?

 

EDIT: Yes, configure terminal.Shouldn't wake up today..

obi
Contributor II

Re: Instant AP VPN -> Controller

I got AP and PEF licenses, but do I also need PEF/VPN aka VIA/VPN licenses on controller?

Frequent Contributor I

Re: Instant AP VPN -> Controller

AP+PEF is absolutely sufficient. PEFV(VIA) gives you additional role assignment options.

HTH

MK

Marek Krauze, CWNE# 174, ACMX #295, ACDX #356
Something cool, helpful or interesting in my post - click the Kudos Star.
Helped to solve your problem - Click Accept as Solution
obi
Contributor II

Re: Instant AP VPN -> Controller

I checked on two different A650 Controllers one running 6.2.1.3 and another running 6.3.1.2. Neither has option to set default profile for VPN authentication, not in cli, not in gui. Only thing I can change is server-group. I tried to play with rules in server-group but that didn't change things. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: