Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎12-26-2010

Confused about Remote AP setup for a remote Office

I'm getting a little confused with terminology and lingo and wanted to ask a few questions straighten things out regarding Remote APs. I need to setup a remote office and they need Wi-Fi access as well as access to local services (file share, internal sites, etc.) behind a firewall at our main building.

 

So far I've done the following setup: public IP on controller, firewall open for UDP port 4500, Enable IPsec, L2TP, PAP for auth and then setup a L2TP IP pool. I've setup also setup a VAP for the Remote APs, and added our main SSID and AAA profile. I then changed the VAPs forwarding mode to bridge. This was the beginning of my questions; when I did this is complained that I needed Control plane security enabled. When I googled this I saw a thread with someone saying Enable CPS and auto cert provisioning. They then said that this is not needed if this is for RAPs. When he mentions RAPs does he mean remote APs or the cheap RAP-3 type APs? From googling I did run across some stuff regarding those not capable of IPsec so maybe it's just a miscommunication issue.

 

Currently I do not have Control plane security enabled, which I believe is needed. However this is part of my confusion since ultimately I would prefer not to turn it on since it sounds like all my APs would need to reboot to enable it. I also read in another thread that if you use a RAP setup as a VPN or setup the VAP as split tunnel then you don't need to enable control plane security. Not really sure the best way to approach this. I have money to buy APs if needed however I also can repurpose some older 125/135s if those can work as well.

 

Also my last question is that I read somewhere that you can’t use guest captive portal in bridged mode. Is there any way around this?

 

Thanks

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Confused about Remote AP setup for a remote Office

The reason why you need CPSec is because the APs you are using are Campus APs and you are trying to configure those in bridge mode , CPSec is a requirement to allow this to work that way.

If those are not IAPs then you can change the a variable that allows you use those as Remote APs

In order for you add this you will need to do it from the console and stop the boot process and then add the following:
> remote_ap 1
> save
> boot
Once you have done that then do this:

- Create a rap pool 

2015-04-15 16_32_05-Security VPN.png

- Add the AP mac address to the RAP whitelist and assign the AP-Group you will be using

2015-04-15 16_33_20-Switch General Configuration.png
- Make sure that the public IP is configured here 

2015-04-15 16_35_00-AP Group.png

 

Then you should be able to change the VAP into bridge mode , make sure you don't have any Campus APs assigned to that AP-Group

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎12-26-2010

Re: Confused about Remote AP setup for a remote Office

Thanks for the reply Victor. Following your steps, along with what I did previously, got the RAP connected and I'm able to see the SSID and authenticate with it. However at this point no websites load on the internet or resources local to my main office. The RAP hands out an IP successfully from the local router.

 

Is my problem firewall related? I'm unsure why nothing is loading at this point. I was doing some quick digging and wondering if it's partly due to firewall and also maybe because I'm in bridged mode and should be in split tunnel. I quickly tried split tunnel (using same vlan that I use with my other main network). I'm able to see the SSID, it also says I authenticate correctly but it doesn't assign an IP. It stays at limited connectivity.

 

Any ideas? Thanks!

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Confused about Remote AP setup for a remote Office

Follow this instructions for the split tunneling :
https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-541

Is the DHCP server located at the branch office ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎12-26-2010

Re: Confused about Remote AP setup for a remote Office

OK I followed those instructions but I'm still having issues. The IP the RAP assignes clients are 169.254.143.96 and it doesn't let me access any sites. I can't ping anything, etc. I have a few dhcp servers. The aruba controller does dhcp to the vlans for the vap's. I have a DHCP server for my wired network, and I also have a DHCP server at the remote location where the RAP will be plugged in. Not sure how to specify which to use. I assume it would use the DHCP server from the VLAN i assigned it when I put in in split-tunnel mode. If thats the case does it send the traffic threw the tunnel to get the dhcp response? I have the User role corporate-split added to the Initial role, mac auth default role and 802.1x auth default role. THis role has the ACL corportate split added which has three rules: any any svc-dhcp permit, any our-network any permit, user any any route src-nat.

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Confused about Remote AP setup for a remote Office

The question is if your clients will get DHCP from the local resources or from the HQ DHCP server?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎12-26-2010

Re: Confused about Remote AP setup for a remote Office

[ Edited ]

I was basiclly trying to say that I don't care where they get an IP from as long as they get one. It can be locally or tunneled. I'm using split tunnel since they need resources from our main location. Maybe that dictates what DHCP server the RAP will hand out. I'm not really sure how to configure it otherwise, the only part I see that mentions DHCP is in relation to Remote AP Backup DHCP but I think thats more of a backup solution from what I've read.

 

 

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Confused about Remote AP setup for a remote Office

Well the issue is that the ACL on the roles changes based on where the DHCP is located , so right now is set that if you have a DHCP in your HQ your clients will get the IP from there and access to the internal resources and everything will be handle locally .
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: