Wireless Access

Hi Experts

 

I would like to ask a few questions regarding the Campus AP in Bridge mode:

 

1. For Campus AP in bridge mode, does it support fast roaming? or the client will need to re-authenticate everytime in roam?

2. Is there a max number of bridge mode AP in a virtual AP profile?

3. Is spectrum load balance and traffic shaping supported in this AP mode?

 

I am referring to campus AP which a controller is always connected.

 

I look forward to hear from your clarifcation.

 

Thanks

Hi.

 

Please red the following info:

Bridge: 802.11 frames are bridged into the local Ethernet LAN. When a remote AP or campus AP is in bridge mode, the AP (and not the controller)handles all 802.11 association requests and responses, encryption/decryption processes, and firewall enforcement. The 802.11e and 802.11k action frames are also processed by the AP, which then sends out responses as needed.

An AP in bridge mode does not support captive portal authentication.Both remote and campus APs can be configured in bridge mode. Note that you must enable the control plane security feature on the controller before you configure campus APs in bridge mode.

 

*DON'T FORGET TO CONFIGURE THE NATIVE VLAN ON EACH VAP U ARE USING BRIDGE-MODE IN*

 

1. THE AP will handle the 802.11 association so.. no -  user will need to re-auth in each AP.

2.NO.

3.All those options will not supported when using in Bridge-mode:

Firewall—SIP/SCCP/RTP/RTSP Voice Support
Firewall—Alcatel NOE Support
Voice over Mesh
Video over Mesh
Named VLAN
Captive portal
Rate Limiting for broadcast/multicast
Power save: Wireless battery boost
Power save: Drop wireless multicast traffic
Power save: Proxy ARP (global)
Power save: Proxy ARP (per-SSID)
Automatic Voice Flow Classification

SIP ALG
SIP: SIP authentication tracking
SIP: CAC enforcement enhancements
SIP: Phone number awareness
SIP: R-Value computation
SIP: Delay measurement
Management: Voice-specific views
Management: Voice client statistics
Management: Voice client troubleshooting
Voice protocol monitoring/reporting
SVP ALG
H.323 ALG
Vocera ALG
SCCP ALG
NOE ALG
Layer 3 Mobility
IGMP Proxy Mobility
Mobile IP
TKIP countermeasure mgmt
Bandwidth based CAC
Dynamic Multicast Optimization

User derivated rules

Firewall rules logging to syslog server

Spectrum load balancing

RF sensitivity tuning based channel reuse

 

hope it clearify you questions :smileyhappy:

feel free to ask more - if you have further question.

 

have a lovely week.

 

me

Just want to clarify something, does the Bridge-mode really not supporting "User derivated rules" ?? in the manual this is not mentioned at all, can you please confirm as this is importan.

 

And also to clarify so if the radius is assigning a user role and the AP is in bridge mode this means the user will not be assigned the role ??

Hi Asa,

Hope you are doing good. I just want to confirm whether Captive portal don't work in campus AP bridge mode?. I have doubt in it I think captive portal works with CAP in bridge mode. Please confirm

---

@syedmuradali wrote:
Hi Asa,

Hope you are doing good. I just want to confirm whether Captive portal don't work in campus AP bridge mode?. I have doubt in it I think captive portal works with CAP in bridge mode. Please confirm

---

Captive portal cannot work with Campus APs  in bridge mode, no.

Thank you Colin, I was confuse between MAC base authentication and captive portal in bridge mode. Now its clear that MAC base authentication can be configure in bridge mode but captive portal can not be configure in bridge mode right?
Secondly please confirm if we configure captive portal in external server, still it will not work with Bridge mode. ?

Hi

Thank you for your response.

What about layer 2 roaming in bridge mode? Is it required re-auth as mentioned?
In this case, what features in ARM will still be provided?

Thanks

Answer to 1;

Any connection to a new AP requires 802.11 authenticate/associate.

 

If the SSID is open, is the question do we maintain L3 information on role (i.e. captive-portal assigned role) then yes, so the user won't keep getting CP everytime he roams.

 

If the SSID is encrypted with a PSK then EAPOL will need to exchange between AP and client.

 

If the SSID is dot1X then depending if the client supports OKC or PMK caching then we might be able to to the key exchange without having to do a complete EAP exchange (OKC and PMK cache are supported in all forward modes).

 

 

As for 2 not sure I understand the question, there are limits to the amount of Virtual AP's an AP can support concurrently (some AP's support 8 BSSID's per radio other's 16 per radio), if it's about how many profiles can be in the config, then there is practicaly no limit.

 

 

Hi

 

I am still a bit confused.

 

So from the end user point of view (when CAP in Bridge mode), SSID with PSK, the connection will drop and re-assoicated when they roam. For SSID with 802.1x, if the client supports OKC or PMK caching, then the connection will NOT drop, and just roam seamlessly?

 

Much appreciated for the clarification.

 

Cheers

No mater what type of SSID open, PSK, or Dot1X the user of the device should not notice the device has roamed.

EAPOL exchange is just 4 packets, EAP+EAPOL is dependent on the size of client/server certificates, but only typically a couple of Kbytes, so the exchange takes place very quickly.

 

The only thing you do have to be aware of is the latency to the radius server when used over poor links, as this can add significant delay to completing dot1X.

In this sort of case you should look to use something like EAP-PWD but not many devices support it yet.

that is even more confusing.Actually, let me explain what I am trying to do.

 

The whole network is going to be within one site, there should be no issue with network latency as there are 1/10G uplink everywhere.

However, we are trying to explore the idea of having the user packet switch straight onto the wired network to avoid bottleneck at the controller.

Therefore, we want to make sure there is no issue with fast roaming (the users dont want to get disconnected when they move from one place to another). Also Spectrum load balancing, in case if there is too many clients attached to one AP.

I understand Instant probably be a better choice here, but I am worried about the high density area. For example, lecture halls and large common area etc.

From an Aruba perspective there is very litle difference in roaming in tunnel mode or roaming in bridge mode.

The only major difference from a network perspective is that in tunnel mode the client at a L2 MAC level never moves between switch ports,but of course in local bridging as the client moves it moves between switch ports on the local switches, which should have no affect.

 

You could always select an A72x0 controller which we have recently released which is a lot more powerful than previous controllers.

 

RF designs for lecture halls can be complex I believe we have a VRD for the same.

 

 

Hi all

 

Thanks for the responses.

 

I agree tunnel mode will work if the network consists of 1/10G uplink everywhere.

 

I would like to explore deeper in terms of roaming in the Bridge mode tho. When the client moves from one AP to another AP (both in Bridge mode), what would the client experience? Will the client's connection get dropped then reassociated and reauthenticated with the next AP? Does this process be different between Open, PSK, and 802.1x authentication?

 

Thanks again

If you have gig everywhere, you should have no problems using tunnel mode, at all, period. Everything will be supported.

Captive portal in general will only work if the traffic is handled by the controller which is the case in tunnel mode and also split tunnel mode where the pre auth role will tunnel the traffic back to the controller for captive portal auth to work.

can you elaborate a bit about this

 

"*DON'T FORGET TO CONFIGURE THE NATIVE VLAN ON EACH VAP U ARE USING BRIDGE-MODE IN*"

 

where does that occur? i can't seem to find it.

 

thanks,

chris

Sorry, but I have a question also about bridge mode.. How to configure a trunk port on AP eth port on bridge mode cause i use OnGuard and want to put an unhealthy client in different vlan.

Thanks

In the AP system profile of that AP, the "Native VLAN" parameter indicates what is the native VLAN on the enet0 port of that AP.  That means if you have a Virtual AP that puts a client on a VLAN that equals that parameter, it will bridge the traffic without tagging.  If the VLAN does not match that parameter, it will tag the client's traffic before bridging it.

 

With regards to putting a client on a different VLAN with a bridged SSID, you are limited to the VLAN in the Virtual AP.  You cannot derive a VLAN from radius attributes, user derivation rules, server derivation rules or the VLAN in a role.