Wireless Access

last person joined: 12 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Master-Local Questions

This thread has been viewed 0 times

  • 1.  Master-Local Questions

    Posted Sep 19, 2013 02:30 PM

    We currently have an M3 running as a master controller.  I purchased a 7220 with the intention of using it as a local controller.  Right now, I have it up in Master mode with a basic configuration on it.  I have configured a few NetDestinations and have an access list that is referred to on my main uplink port to restrict access to and from the controller to specific services from outside of our network.  I have some questions on this and some other issues with concern about what will happen when this is switched to a local controller in the very near future.

     

    1.  From reading documentation, it appears, when I switch it to a local controller, all of my netdestination statements will be erased and replaced with the netdestination statements from the master controller?  Is this correct?  Both controllers Netdestinations are named the same, but contain differing information (differing networks and hosts).   If so, does that mean I will need to combine all of the information from both controllers in the Netdestinations?

     

    2.  What about my Session ACL on my main interface for the 7220?  Will I need to re-apply that?

     

    3.  Does switching to local erase my Vlan configurations on the controller?  What about static IP Addresses that are set? 

     

    4.  Is there documentation on what is and what is not configurable on the Local Controller when accessing it through the console cable in a Master-Local environment?

     

    5.  Are any of the server settings configurable on the local controller?  I saw a posting indicating that radius servers use the same information from the master, which required you to enter the Local Controller Information with the same Secret on our radius environment.  Is this true for all of the servers?  Does this include with our Clearpass environment?

     

    6.  Is it best practice to terminate RAPs on a local controller or on the Master?

     

    I'm sure more will come up, but I just want to make sure I'm covering everything before I make the switch over to local.  My timeframe is to do this when 6.3 goes General release.  I'm currently doing tests on my 7220 so I'm familiar with any changes from 6.1.

     

    Any answers and advice would be greatly appreciated.  Thanks.


    #7220


  • 2.  RE: Master-Local Questions
    Best Answer

    EMPLOYEE
    Posted Sep 19, 2013 03:04 PM
    @ShawnShoe wrote:

    We currently have an M3 running as a master controller.  I purchased a 7220 with the intention of using it as a local controller.  Right now, I have it up in Master mode with a basic configuration on it.  I have configured a few NetDestinations and have an access list that is referred to on my main uplink port to restrict access to and from the controller to specific services from outside of our network.  I have some questions on this and some other issues with concern about what will happen when this is switched to a local controller in the very near future.

     

    1.  From reading documentation, it appears, when I switch it to a local controller, all of my netdestination statements will be erased and replaced with the netdestination statements from the master controller?  Is this correct? YES  Both controllers Netdestinations are named the same, but contain differing information (differing networks and hosts).   If so, does that mean I will need to combine all of the information from both controllers in the Netdestinations? YES, but that is too much trouble.  Everything should be defined on the current master and flow to the local when you add it.

     

    2.  What about my Session ACL on my main interface for the 7220?  Will I need to re-apply that? YES, because it will not be defined when you change from a master to a local.  ACLs are global parameters that flow from the master.

     

    3.  Does switching to local erase my Vlan configurations on the controller?  What about static IP Addresses that are set? Vlan numbers, switch port confgurations, ip addresses and layer2 and 3 information generally are local configurations and will stay after you convert it to a local.

     

    4.  Is there documentation on what is and what is not configurable on the Local Controller when accessing it through the console cable in a Master-Local environment?  Yes, there is.

     

    5.  Are any of the server settings configurable on the local controller?  I saw a posting indicating that radius servers use the same information from the master, which required you to enter the Local Controller Information with the same Secret on our radius environment.  Is this true for all of the servers?  Does this include with our Clearpass environment?  Server settings are global

     

    6.  Is it best practice to terminate RAPs on a local controller or on the Master?  It is your choice.  The controller that is easiest to expose to the internet via UDP 4500 and has the capacity you need is the one you should use.  No best practice.

     

    I'm sure more will come up, but I just want to make sure I'm covering everything before I make the switch over to local.  My timeframe is to do this when 6.3 goes General release.  I'm currently doing tests on my 7220 so I'm familiar with any changes from 6.1.  You can upgrade to the latest 6.2.x, which is GA for testing.  You can run your M3 and your 7220 on that version of code at the same time without having to upgrade to 6.3 before it is GA.

     

    Any answers and advice would be greatly appreciated.  Thanks.

     


    #7220


  • 3.  RE: Master-Local Questions

    Posted Sep 19, 2013 03:17 PM

    Thanks for the speedy reply.  I think you pretty much covered everything there.

     

    I'm waiting for license pooling (6.3) before I do the conversion.  I was advised to wait for the General Release by our SE due to some open bugs that they were working on in regards to Hidden SSIDs on 6.3.

     

    Since my current M3 is running as master with all my access points terminated on it, will it have any noticible outage when I add the 7220 as a local to it?  Eventually I'll terminate the Access Points on the local, but will be doing that during a maintenance window.

     

    Thanks again.

     

     

     

     


    #7220


  • 4.  RE: Master-Local Questions

    EMPLOYEE
    Posted Sep 19, 2013 03:21 PM

    No outage if you add a local to a master.  Just make sure you first have the Master on 6.2.x, FIRST.



  • 5.  RE: Master-Local Questions

    Posted Sep 19, 2013 04:14 PM

    What about my captive portal certificate?  Will that be copied or will I need to install a second certificate on the local controller?  If It does add that from the master, will I need to update my DNS to resolve that name to both IP Addresses? 



  • 6.  RE: Master-Local Questions

    EMPLOYEE
    Posted Sep 19, 2013 04:18 PM

    You will have to add a separate server certificate for that controller.

    For each local controller, however, you need to put in the "ip cp-redirect-address" commandline configuration which is the ip address on the local controller that you want the captive portal hosted on.

    Each local controller will automatically redirect traffic to the fqdn of the imported certificate. If you use a public CA to issue server certs to your controllers, your clients will only have to trust the CA that issues the certificates to your servers. Public CAs can tell you if all guest clients will do this.




  • 7.  RE: Master-Local Questions

    EMPLOYEE
    Posted Sep 19, 2013 04:24 PM
    If you did the CSR on a web server and have the private key to export, you
    can use the same cert on both controllers.

    If you did it on the controller, the private key is not exportable.


  • 8.  RE: Master-Local Questions

    Posted Jul 10, 2019 07:53 AM

    Hi

    I have an aruba access point 215. I did factory_reset .

    My plan is to join  this access point to my network that incude 4 access poins.

    I configured IP, Gateway, DNS and VLAN number is also configured.

    This new access point comes up as master, I have no idea how to configure the new AP to be as slave and be able to join to my network.

    Gonna be happy if you have any info to help me in this case



  • 9.  RE: Master-Local Questions

    Posted Sep 19, 2013 04:24 PM

    Is that still true when using Clearpass for my captive portals? 

     

    The certificate is only called on the initial connection and the redirect back to the controller after authentication, correct?  I have a couple different subnets that are using this service.



  • 10.  RE: Master-Local Questions

    EMPLOYEE
    Posted Sep 19, 2013 04:29 PM
    @ShawnShoe wrote:

    Is that still true when using Clearpass for my captive portals? 

     

    The certificate is only called on the initial connection and the redirect back to the controller after authentication, correct?  I have a couple different subnets that are using this service.

    You will need a public certificate for any controller doing a redirect, as well as the ClearPass captive portal.  The initial web redirect is done by the controller needs to have a public certificate for a successful redirect, instead of a page prompting the user to trust it.  After the controller does the redirect, the ClearPass captive portal page used to authenticate guests, etc, needs to have a public certificate so that users do not have to manually trust it when they land on that page.  If neither the controller or clearpass has a public certificate, the user will be prompted twice : once to accept the certificate from the redirect, and once from the clearpass box.  That typically leads to a bad experience.

     



  • 11.  RE: Master-Local Questions

    Posted Sep 19, 2013 04:35 PM

    Right.. I guess my question stems from your suggestion of using this command "ip cp-redirect-address".  I'm not currently using it on my master for my captive portal configurations with Clearpass, I just searched my config for it and it doesn't exist currently.  Is this something that is required because it will be a local controller or would I only need this if I was using the internal Captive Portal? 



  • 12.  RE: Master-Local Questions

    EMPLOYEE
    Posted Sep 19, 2013 04:40 PM

    The ip cp-redirect address is used to determine what ip address on the local controller will bring up the captive portal or do the redirect.  By default, that is the controller's management ip address.  If that address will not be reachable to your captive portal clients that is when you would use the ip cp-redirect-address parameter to point it to the interface on the guest network on that local or master controller.  It is mainly for when a guest would not be able to reach the management ip address of the controller to bring up the page or accept a redirect.

     

    If the captive portal works just fine, please disregard.



  • 13.  RE: Master-Local Questions

    Posted Sep 19, 2013 04:41 PM

    Thank You.  That makes sense now. 



  • 14.  RE: Master-Local Questions

    Posted Jul 10, 2019 07:46 AM

    Hi

    I have an aruba access point 215. I did factory_reset .

    My plan is to join  this access point to my network that incude 4 access poins.

    I configured IP, Gateway, DNS and VLAN number is also configured.

    This new access point comes up as master, I have no idea how to configure the new AP to be as slave and be able to join to my network.

    Gonna be happy if you have any info to help me in this case.

    @cjoseph wrote:
    @ShawnShoe wrote:

    Is that still true when using Clearpass for my captive portals? 

     

    The certificate is only called on the initial connection and the redirect back to the controller after authentication, correct?  I have a couple different subnets that are using this service.

    You will need a public certificate for any controller doing a redirect, as well as the ClearPass captive portal.  The initial web redirect is done by the controller needs to have a public certificate for a successful redirect, instead of a page prompting the user to trust it.  After the controller does the redirect, the ClearPass captive portal page used to authenticate guests, etc, needs to have a public certificate so that users do not have to manually trust it when they land on that page.  If neither the controller or clearpass has a public certificate, the user will be prompted twice : once to accept the certificate from the redirect, and once from the clearpass box.  That typically leads to a bad experience.