Remote Networking

Reply

RAP5 and RAP-125 serving an off-campus dormitory

I wanted to share what we did to unify the wireless experience for our on- and off-campus students.

We have a couple of dormitories that are not served by our campus fiber plant. These dorms use cable connections and off-the-shelf wireless solutions. For the students, this means that their wireless experience is more complex than a student living on-campus.

We were hoping to provide a uniform wireless experience for our students, no matter where they lived. We used the RAP technology to reach this goal. We deployed a RAP5 and multiple AP-125s in the legacy RAP mode, which I'll call RAP-125.

This configuration took me a week or two to iron out. I wanted to share the configuration so it can help others looking to do something similar.

---

Here's the AP group that we assign to our off-campus RAP5s:

ap-group "WLU-GL-Master-RAP5-AP-Group"
virtual-ap "WLUsec-GL-Master-RAP5-VAP"
virtual-ap "WLU-GL-Master-RAP5-VAP"
dot11a-radio-profile "WLU-ResNet-radio-802.11a"
dot11g-radio-profile "WLU-ResNet-radio-802.11g"
enet1-port-profile "WLU-RAP5-Split-Tunnel"
enet2-port-profile "WLU-RAP5-Bridge-Port"
enet3-port-profile "WLU-RAP5-Bridge-Port"
enet4-port-profile "WLU-RAP5-Bridge-Port"
ap-system-profile "GL-Master-System-Profile"

The main thing to notice about this configuration is the fact that the RAP5 can "split tunnel" and "bridge" at the same time. The reason that I'm doing this is to bridge the RAP-125 connections and allow them to assign a split tunnel user role based on 802.1X credentials.

Here's the system profile for the group:

ap system-profile "GL-Master-System-Profile"
lms-ip ***.***.***.***
bkup-lms-ip ***.***.***.***
number_ipsec_retries 6
native-vlan-id 341

The "number_ipsec_retries 6" entry is a workaround for an open TAC case. A RAP-125 will reconnect to a controller quicker in 5.0.3.1 with this command.

Here's the configuration for the bridge and split-tunnel ports:

Bridge configuration:

ap wired-port-profile "WLU-RAP5-Bridge-Port"
wired-ap-profile "RAP5-WLU-Bridge-Port"
no rap-backup
aaa-profile "WLU-RAP5-Bridge-AAA"
bridge-role "WLU-Wired-Bridge-RAP5"

ap wired-ap-profile "RAP5-WLU-Bridge-Port"
wired-ap-enable
forward-mode bridge
switchport mode trunk
switchport access vlan 341
switchport trunk native vlan 341

aaa profile "WLU-RAP5-Bridge-AAA"
initial-role "WLU-Wired-Bridge-RAP5"
mac-default-role "WLU-DenyAll"

user-role WLU-Wired-Bridge-RAP5
session-acl allowall

Split-tunnel configuration:

ap wired-port-profile "WLU-RAP5-Split-Tunnel"
wired-ap-profile "RAP5-WLU-Split-Tunnel-Port"
no rap-backup
aaa-profile "WLU-RAP5-Wired-AAA"

ap wired-ap-profile "RAP5-WLU-Split-Tunnel-Port"
wired-ap-enable
forward-mode split-tunnel
switchport access vlan 341

aaa profile "WLU-RAP5-Wired-AAA"
initial-role "WLU-Wired-Port-RAP5"
mac-default-role "WLU-DenyAll"

user-role WLU-Wired-Port-RAP5
max-sessions 200
session-acl icmp-acl
ipv6 session-acl v6-denyall
session-acl mDNS-responder
session-acl Remote-Split-Tunneling
session-acl allowall
!

ip access-list session Remote-Split-Tunneling
any any svc-dhcp permit
any alias WLU-IP-Space any permit
any any any route src-nat
!

netdestination WLU-IP-Space
network ***.***.***.*** ***.***.***.***

Here's our VAPs:

wlan virtual-ap "WLUsec-GL-Master-RAP5-VAP"
aaa-profile "WLU-RAP5-AAA"
ssid-profile "WLUsec"
vlan 341
forward-mode split-tunnel
broadcast-filter all
broadcast-filter arp

wlan virtual-ap "WLU-GL-Master-RAP5-VAP"
aaa-profile "WLU-RAP5-Portal-AAA"
ssid-profile "WLU"
vlan 341
forward-mode split-tunnel
broadcast-filter all
broadcast-filter arp

Here's our AAA statements:

aaa profile "WLU-RAP5-AAA"
initial-role "WLU-Secure-RAP-Login"
mac-default-role "WLU-DenyAll"
authentication-dot1x "WLU-8021x-Auth-Profile"
dot1x-default-role "WLU-Remote-RAP5-Student"
dot1x-server-group "WLU-RAP5-Radius-Servers"

aaa profile "WLU-RAP5-Portal-AAA"
initial-role "WLU-RAP5-Portal-AuthOnly-Login"
authentication-mac "WLU-Mac-Auth"
mac-default-role "WLU-Game-Consoles"
dot1x-default-role "WLU-Guest"
dot1x-server-group "WLU-RAP5-Portal-Server-Group"

AAA server groups:

aaa server-group "WLU-RAP5-Radius-Servers"
auth-server ***.***.***
auth-server ***.***.***
set role condition Filter-Id contains "Staff" set-value WLU-Remote-RAP5-Staff
set role condition Filter-Id contains "Student" set-value WLU-Remote-RAP5-Student

aaa server-group "WLU-RAP5-Portal-Server-Group"
allow-fail-through
auth-server ***.***.***
auth-server Internal
auth-server ***.***.***
set role condition distinguishedName contains "Student" set-value WLU-Remote-RAP5-Student-Restricted
set role condition distinguishedName contains "Faculty" set-value WLU-Remote-RAP5-Staff-Restricted
set role condition role value-of

802.1X and portal user roles are similar to the following:

user-role WLU-Remote-RAP5-Student
max-sessions 200
ipv6 session-acl v6-denyall
session-acl mDNS-responder
session-acl WLU-Student-Restrictions
session-acl Remote-Split-Tunneling
session-acl allowall

The portal configuration itself is fairly vanilla.

The "session-acl Remote-Split-Tunneling" is the ACL that will do split tunneling on the RAP-125. A connected user will go out the broadband connection for all non-campus directed traffic. All campus-directed traffic will go out the tunnel between the RAP-125 and our Aruba controller.

Finally, the RAP5 and the RAP125 are both provisioned as members of the "WLU-GL-Master-RAP5-AP-Group" AP group.

---

Here's redacted CLI output of the following command "show ap active"

RAP125-House-2nd-Floor WLU-GL-Master-RAP5-AP-Group 125 REda 7d:2h:9m:41s
RAP5WN-House-Basement WLU-GL-Master-RAP5-AP-Group RAP-5WN REda 7d:2h:8m:49s

As you can see, the top line is an AP-125 with the "R" flag, for RAP, set; the second device is a standard RAP5WN.

---

Our students now receive an 802.1X SSID and an open SSID over a non-campus broadband connection. All of our off-campus students can now be managed in Airwave and we can troubleshoot their issues as if they were on campus.

I've also attached a document from our sales engineer, Sanjay Mistry, that goes over how to setup an AP-125 in legacy RAP (RAP-125) mode.

I hope this helps!

-Mike
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: