Wireless Access

Occasional Contributor II

ArubaOS 8 - Setting up Remote Access Point (RAP)

ArubaOS 8 - Setting up Remote Access Point (RAP)


The post shows the step by step configuration in setting up a Remote AP (RAP) in ArubaOS-8 (AOS8) on a standalone controller

This would be helpful for anyone new to AOS 8 and RAPs

Information is based on ArubaOS Version


Remote Access Points AOS6 versus AOS8

In AOS6:

In AOS8:

Redundancy achieved by, terminating RAPs on VRRP-IP or LMS/BKP-LMS.

High level of redundancy achieved by, terminating RAPs on Cluster

On Controller failure, RAPs Bootstraps and clients are de-authenticated.

Using L2 Connected Cluster, we can achieve Hitless AP failover and Hitless client failover.  We can also do RAP and Client load balancing.


Points to Consider.

Cluster is limited to max 4 nodes in case of RAP.

If you have a cluster of 4 Mobility Controllers, We should configure public-ip in all 4 controllers. It might be changing in the upcoming release

RAP will establish ipsec tunnels to all 4 controllers, but at any point of time only one A-AAC and on S-AAC will be established.


How to configure a Aruba Controller to terminate RAPs:

ArubaOS Version:

Controller Model: 7005

Controller Mode: Standalone

AP Model: AP-303H


Network Diagram:RAP Solution.jpg



Bring up the Controller in Standalone mode:Standalone.jpg


Install the Licence:

RAPs do not require PEFV. Only the regular AP licenses (AP, PEFNG).

Mobility Controller -> Configuration -> System -> Licensing

Once Installed, Please ensure that "Feature Enabled" checkbox is ticked. This will enable the license.


Make the Physical Connections:

Aruba 7005 Controller - 0/0/0 - Connected to Internet (Public Network)

Aruba 7005 Controller - 0/0/1 - Connected to My Lab (Internal Network)Port Status.jpg


Create an L2 and L3 Interface:L2 and L3 Interfaces.jpg


L2 and L3 Interfaces - Configuration snippet:L2 and L3 Config snippet.jpg


Creating a user role for the RAP user:

//listing all the internal network, I should have access to.

netdestination internal-networks                         






//Tunnelling internal network traffic to Controller and other traffic are source natted.

ip access-list session split-tunnel                           

    any any svc-dhcp permit

    user alias internal-networks any permit

    alias internal-networks user any permit

    user any any route src-nat


user-role System-Engineer

    access-list session global-sacl

    access-list session apprf-system-engineer-sacl

    access-list session split-tunnel



Configure VPN Pool:

Configuration -> Services -> VPN -> General VPN -> Add the Address PoolsVPN Pool Config.jpg

Equivalent CLI Command:

ip local pool "rap"


Define RAP AP Group and related settings:

ap-group-profile contains virtual-ap-profile and ap-system-profile.

virtual-ap-profile contains aaa-profile and ssid-profile.


//user-role "System-Engineer" is linked to aaa-profile

aaa profile "default"

    initial-role "System-Engineer"

    authentication-dot1x "default-psk"


//Creating the ssid-profile

wlan ssid-profile "Employee-ssid_prof"

    essid "KapilHome"

    wpa-passphrase "Aruba123!"

    opmode wpa2-psk-aes


//aaa-profile and ssid-profile is linked to the Virtual AP Profile.

wlan virtual-ap "Employee-rap-vap-profile"

    vlan 30

    aaa-profile "default"

    ssid-profile "Employee-ssid_prof"


//Creating the ap-system-profile

ap system-profile "rap-AP-system-profile"


    ap-console-password "Aruba123!"

    bkup-passwords "CP0010727!+^>"


//virtual-ap-profile and ap-system-profile is linked to the AP-Group

ap-group "raphome"

    virtual-ap "Employee-rap-vap-profile"

    ap-system-profile "rap-AP-system-profile"



You can also create WLAN using the wizard under "Configuration -> WLANs".

All the configuration are done on the "default" ap-group.

Name you choose for ssid in WLAN Wizard, is used as name for virtual-ap profile, aaa profile, authentication-dot1x profile and ssid-profile.


Whitelist the Remote AP:

Aruba7005 -> Configuration -> Access Points -> Whitelist -> Remote AP Whitelist.Whitelist RAP.jpg

Equivalent CLI command

whitelist-db rap add mac-address "20:4c:03:21:85:2c" ap-group "raphome" ap-name "Kapil-RAP"

-group "raphome" ap-name "Kapil-RAP"


DHCP Server on the Controller:

This is to serve the clients on VLAN 30.

This can be done under "Configuration -> Services -> DHCP -> DHCP Server" in GUI

ip dhcp excluded-address

ip dhcp pool pool30






service dhcp


Provision the AP (Instant AP):

Here we are converting an Instant AP (IAP) into Remote AP (RAP).

I have got a brand new IAP. I need to Provision the Country Code and then convert to RAP.

Just go to Maintenance -> Convert ->

Select “Remote APs managed by a Mobility Controller”

Enter the IP Address of the Mobility Controller

Click “Convert Now”RAP-coversion1.jpg


Verification Commands:

AP database:RAP Database.jpg

 AP bss-table:bss-table.jpg


 Interfaces on the RAP:Interfaces.jpg


Different ways RAPs can be terminated on the Controller:

Staged:               Any CAP APs can be staged to become a RAP

Zero Touch:  RAPs have a GUI where the user can enter the IP address or URL of the controller.

Activate: RAPs can also automatically communicate with Aruba cloud based Activate. If an entry exists in Activate it will direct these RAPS to the controller.

Conversion: Instant AP can also be converted to RAPs by pointing to IP address of the Mobility Controller


 Hope you find this useful. Please post your feedback !



Kapildev Erampu 




Contributor I

RE: ArubaOS 8 - Setting up Remote Access Point (RAP)

Thank you for the setup guide for the new OS ArubaOS 8.


It has helped a lot.

Occasional Contributor II

RE: ArubaOS 8 - Setting up Remote Access Point (RAP)

Welcome Mate :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: