Wireless Access

I have a customer who wants to set up their Instant AP's using EAP-TLS, to match the WLAN configuration they use in their head office.  They will be using the Instants with VPN to give roaming users access back to the office.  Kind of like a RAP, but without the RAP licensing.

They are using an IAS server for Radius / 802.1x authentication.  

My question is, how do I get this working with the Instant APs?  These will be deployed all over the place like RAP's with dynamic addresses.  So we can't create Radius Clients for them in IAS.

I know that I can install certificates on the Instant and have EAP terminate on the Instant, but do I need to install a unique certificate on each Instant?   Or can use the same server certificate on each instant?  And what about the subject name, etc. for the certificate? 

Just to get clarity, when you say Instant with VPN to give remote access back to office means, are we trying to terminate the Instant Access point to do VPN back to the head office controller ? please confirm. If yes, below link should give the procedure to configure it.

http://community.arubanetworks.com/t5/Aruba-Instant/What-can-you-terminate-an-IAP-VPN-on/td-p/64756

For instant on EAP-TLS, find below link.

http://community.arubanetworks.com/t5/Aruba-Instant/IAP-TLS-authentication/td-p/48946

Thanks!

****************************************************************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

If you have the PEFV license on the controller, you can alter the default-iap role and source-NAT RADIUS packets out of the controller.  From the perspective of IAS, ALL instant APs and sites would look like auth requests coming from the controller's IP and not the IAP's IP.  

This is explained in detail in the Instant User guide which covers both the IAP config as well as the controller config.

Config Stub

Seth, thank you, that's exactly what I was looking for.

They don't have PEFV licenses, but I'll work on that.

Yeah...so in order to alter the defailt IAP role, you will need the PEF-V.   EDITED>>>

Yeah, licensing has been a real pain on this one.  It was sold to the customer with no licenses, because someone thought you don't need any licenses to set up IAP+VPN.  But then it was scoped to me as a RAP installation...

so you're saying that with 30 IAP's, all I will need is 1x PEFV and 1xPEFNG ?  Not 30x each?

EDITED FROM BEFORE!!!

Couple of things.

1. The PEFV license is a box license so think of it as a feature enablement license.  You would only need one.  

2. The PEFNG license does not allow you to alter the default-vpn role that the IAPs are assigned

In your situation, you will need 1 PEFV license per controller.  This will allow you to alter the default-vpn role or assign a different role in the controller where the IAPs are assigned when they connect their VPNs.  

Technically, you were sold the solution correctly.  You do not need any licenses to terminate the IAPs to a controller.  A controller out of the box will allow you to configure itself as a VPN concentrator for the IAPs.  However, you need to source NAT RADIUS authentication traffic.  Therefore, you will need to create source NAT firewall rules which will require the PEFV license in order to enable that area of the controller's config and feature set.  

Hopefully this made some sense!

Ok, so in this case the controller is being used exclusively to terminate the IAP VPNs, so all I will need is the PEF-NG license, correct?

No...you will need one PEF-V license in order to accomplish this.  

I would get an eval license in place in the meantime so you can accomplish and test this in short order.  

Hmmm... still not working.  I can see the IAP in the controller, and it is assigned to the iaprole, but still not getting through to the Radius server...

You should start looking at the IAP config in the VPN settings.  Do you have Dynamic RADIUS proxy enabled in the admin screen?

Yes, dynamic radius proxy is set.

Also, VPN settings are pretty straightforward - IPSec, and routing is set to use the controller IP as the default gateway.

The SSID VLAN is set to "statically assigned' and points to the client vlan 13, which is configured on the controller.

I have a L2,Centralized DHCP scope set up, for VLAN13.  Enabled DHCP relay in that, pointing to their DHCP server IP.

Any chance you can post the configs from both IAP and controller?  If you strip down the SSID to a PSK or open, does the VPn tunnel to HQ work?

Also, the output of "show iap table long"

To anyone reading this thread - I made some corrections in my licensing requirements for this scenario.  I had previously wrote that the PEFNG license would work for this situation.  However, I incorrectly stated that.  You require PEF-V license for anything related to changing the roles or policies for the IAPs.

NOTE:  In most situations, using the VPN functionality with IAPs will not require ANY licenses.  

Even when using open authentication, I still can't get into the corporate VLAN's.  So that's likely where the problem is.  Now I just need to find out why.  

More info:  When connecting to the CorpNet-test WLAN, users should be placed into VLAN 13 which exists on their LAN.  The controller is configured for VLAN 13, and this works when using a RAP. 

(Aruba3200) #show iap table long
^
% Invalid input detected at '^' marker.

(Aruba3200) #show iap table

Branch Key Index Status Inner IP MAC Address Subnet
---------- ----- ------ -------- ----------- ------
e08b7d4501281ae829dbae1edb29b03d8bac95cde9c74dd06a 1 UP 172.17.2.3 00:0b:86:8d:fd:ca
7239dace01c6309af9eb7c81b8670a22f41b74651160d5a5a1 0 DOWN 0.0.0.0 00:0b:86:83:4a:4f

The IAP config:

--------------------

version 6.2.1.0-3.3.0
virtual-controller-country CA
virtual-controller-key *
name corp-Instant
terminal-access
clock timezone none 00 00
rf-band all
dynamic-radius-proxy

allow-new-aps
allowed-ap 00:0b:86:8d:fd:ca

routing-profile
route 10.10.0.0 255.255.0.0 10.10.0.230
route 10.14.0.0 255.255.0.0 10.10.0.230
route 10.13.0.0 255.255.0.0 10.10.0.230
route 10.12.0.0 255.255.254.0 10.10.0.230

arm
wide-bands 5ghz
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode fair-access
client-aware
scanning

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

vpn primary 207.164.26.155

mgmt-user admin *

wlan access-rule basic
rule any any match any any any permit

wlan access-rule corpNet-test
rule any any match any any any permit

wlan access-rule default_dev_rule
rule any any match any any any permit

wlan access-rule default_wired_port_profile
rule any any match any any any permit

wlan access-rule wired-instant
rule 192.168.220.149 255.255.255.255 match tcp 80 80 permit
rule 192.168.220.149 255.255.255.255 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan ssid-profile basic
enable
index 0
type employee
essid basic
wpa-passphrase *
opmode wpa2-psk-aes
max-authentication-failures 0
vlan guest
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile corpNet-test
enable
index 1
type employee
essid corpNet-test
opmode wpa2-aes
max-authentication-failures 0
vlan 13
auth-server corp-Radius
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24

wlan auth-server corp-Radius
ip 10.10.0.103
port 1812
acctport 1813
key *

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none

ip dhcp Vlan13_DHCP
server-type Centralized,L2
server-vlan 13
dhcp-relay
dhcp-server 10.10.1.6

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

wired-port-profile wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay
id _airplay._tcp
id _raop._tcp

airgroupservice airprint
disable
description AirPrint
id _ipp._tcp
id _pdl-datastream._tcp
id _printer._tcp
id _scanner._tcp
id _universal._sub._ipp._tcp
id _printer._sub._http._tcp
id _http._tcp
id _http-alt._tcp
id _ipp-tls._tcp
id _fax-ipp._tcp
id _riousbprint._tcp
id _cups._sub._ipp._tcp
id _cups._sub._fax-ipp._tcp
id _ica-networking._tcp
id _ptp._tcp
id _canon-bjnp1._tcp

Finally got it all working. 

1.  Added default route in the IAP VPN for all traffic to go to the Controller IP (0.0.0.0 0.0.0.0 10.10.0.230)

2.  Removed the DHCP relay address from the IAP / DHCP server config.  It already exists on the VLAN on the controller, so this was causing confusion.

3.  Set up src nat as described above.  Added a trial license for PEF-V for now.

4.  Corrected a typo in the Radius server IP address on the IAP :s  

Fun & good times :)

Thanks for all the help!

Great!  you saved me a few screen shots that I was just replying back with!  Glad it is working.  

Keep in mind...if you don't want the PEFV license, you can add the L2TP Inner IP addresses from the pool (assigned to the IAPs) to the RADIUS server.  I believe that the IAS can accept a network as one NAS entry but I may be wrong.

I know we can do that with ClearPass.

Yes, I could add the inner IP pool subnet as a Radius client, but there is no route to the inner pool from their network.   This customer does not want to change any routes on their network, hence the L2-centralized setup.