07-06-2017 08:07 AM
I have a controller with 11 AP for 4 SSID and multiple usages/security zones. Now I need to extend some SSID to a new small remote office without using controller. In the new office I have VPN connectivity with central office but no controller. I need to put 2 AP on this remote office. I would like to to use the local WAN access for the wifi users on remote office instead of pushing all traffic to central office in VPN.
How could I configure it ? Could I use IAP 200 series ?
I'm lost ;-)
Any help or suggestion will be appreciated.
Solved! Go to Solution.
07-06-2017 08:39 AM
Without an exhaustive look at the requirements, one has two choices here.
Yes, one could use an IAP2xx, either covert to a Remote AP (RAP) or use this as outlined in point #2.
#1 Outfit the remote offices with RAPs. Each RAP will create an IPSEC tunnel back to the corporate HQ controller. Configure the same VAP/SSID/AAA profiles for a new ap-group and place the RAPs in this group.
The user-role will have to change to a RAP-user role, which permits any traffic going through the tunnel to the controller, and at least one other rule stating "all else" will be SRC NAT out the RAP natural E0 interface into the local LAN/WAN
#2 Install an IAP cluster of one or more IAPs at the remote office.
the VC in the cluster will build an IPSEC tunnel to the corporate controller.
The IAP cluster is configured with a routing profile that deterimines which traffic is sent from the IAP via the tunnel. All else will be handled naturally in the local LAN. User role ACLs can be used to further define where user traffic goes.
Here, the IAP SSIDs would be configured identical to those in the corporate controller, including authentication. For example - if one were using 802.1x EAP-TLS for an SSID, the IAP would need to connect to the corporate RADIUS server via the tunnel.
One needs to consult the ArubaOS and IAP User Guides, and VRDs for details on either of these structures.
Hope this gives you a general direction.
Aruba Networks Customer Advocacy