Wireless Access

Reply
Frequent Contributor I
Posts: 63
Registered: ‎05-21-2012

Master-Local Questions

We currently have an M3 running as a master controller.  I purchased a 7220 with the intention of using it as a local controller.  Right now, I have it up in Master mode with a basic configuration on it.  I have configured a few NetDestinations and have an access list that is referred to on my main uplink port to restrict access to and from the controller to specific services from outside of our network.  I have some questions on this and some other issues with concern about what will happen when this is switched to a local controller in the very near future.

 

1.  From reading documentation, it appears, when I switch it to a local controller, all of my netdestination statements will be erased and replaced with the netdestination statements from the master controller?  Is this correct?  Both controllers Netdestinations are named the same, but contain differing information (differing networks and hosts).   If so, does that mean I will need to combine all of the information from both controllers in the Netdestinations?

 

2.  What about my Session ACL on my main interface for the 7220?  Will I need to re-apply that?

 

3.  Does switching to local erase my Vlan configurations on the controller?  What about static IP Addresses that are set? 

 

4.  Is there documentation on what is and what is not configurable on the Local Controller when accessing it through the console cable in a Master-Local environment?

 

5.  Are any of the server settings configurable on the local controller?  I saw a posting indicating that radius servers use the same information from the master, which required you to enter the Local Controller Information with the same Secret on our radius environment.  Is this true for all of the servers?  Does this include with our Clearpass environment?

 

6.  Is it best practice to terminate RAPs on a local controller or on the Master?

 

I'm sure more will come up, but I just want to make sure I'm covering everything before I make the switch over to local.  My timeframe is to do this when 6.3 goes General release.  I'm currently doing tests on my 7220 so I'm familiar with any changes from 6.1.

 

Any answers and advice would be greatly appreciated.  Thanks.

Guru Elite
Posts: 21,524
Registered: ‎03-29-2007

Re: Master-Local Questions


ShawnShoe wrote:

We currently have an M3 running as a master controller.  I purchased a 7220 with the intention of using it as a local controller.  Right now, I have it up in Master mode with a basic configuration on it.  I have configured a few NetDestinations and have an access list that is referred to on my main uplink port to restrict access to and from the controller to specific services from outside of our network.  I have some questions on this and some other issues with concern about what will happen when this is switched to a local controller in the very near future.

 

1.  From reading documentation, it appears, when I switch it to a local controller, all of my netdestination statements will be erased and replaced with the netdestination statements from the master controller?  Is this correct? YES  Both controllers Netdestinations are named the same, but contain differing information (differing networks and hosts).   If so, does that mean I will need to combine all of the information from both controllers in the Netdestinations? YES, but that is too much trouble.  Everything should be defined on the current master and flow to the local when you add it.

 

2.  What about my Session ACL on my main interface for the 7220?  Will I need to re-apply that? YES, because it will not be defined when you change from a master to a local.  ACLs are global parameters that flow from the master.

 

3.  Does switching to local erase my Vlan configurations on the controller?  What about static IP Addresses that are set? Vlan numbers, switch port confgurations, ip addresses and layer2 and 3 information generally are local configurations and will stay after you convert it to a local.

 

4.  Is there documentation on what is and what is not configurable on the Local Controller when accessing it through the console cable in a Master-Local environment?  Yes, there is.

 

5.  Are any of the server settings configurable on the local controller?  I saw a posting indicating that radius servers use the same information from the master, which required you to enter the Local Controller Information with the same Secret on our radius environment.  Is this true for all of the servers?  Does this include with our Clearpass environment?  Server settings are global

 

6.  Is it best practice to terminate RAPs on a local controller or on the Master?  It is your choice.  The controller that is easiest to expose to the internet via UDP 4500 and has the capacity you need is the one you should use.  No best practice.

 

I'm sure more will come up, but I just want to make sure I'm covering everything before I make the switch over to local.  My timeframe is to do this when 6.3 goes General release.  I'm currently doing tests on my 7220 so I'm familiar with any changes from 6.1.  You can upgrade to the latest 6.2.x, which is GA for testing.  You can run your M3 and your 7220 on that version of code at the same time without having to upgrade to 6.3 before it is GA.

 

Any answers and advice would be greatly appreciated.  Thanks.


 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 63
Registered: ‎05-21-2012

Re: Master-Local Questions

Thanks for the speedy reply.  I think you pretty much covered everything there.

 

I'm waiting for license pooling (6.3) before I do the conversion.  I was advised to wait for the General Release by our SE due to some open bugs that they were working on in regards to Hidden SSIDs on 6.3.

 

Since my current M3 is running as master with all my access points terminated on it, will it have any noticible outage when I add the 7220 as a local to it?  Eventually I'll terminate the Access Points on the local, but will be doing that during a maintenance window.

 

Thanks again.

 

 

 

 

Guru Elite
Posts: 21,524
Registered: ‎03-29-2007

Re: Master-Local Questions

No outage if you add a local to a master.  Just make sure you first have the Master on 6.2.x, FIRST.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 63
Registered: ‎05-21-2012

Re: Master-Local Questions

What about my captive portal certificate?  Will that be copied or will I need to install a second certificate on the local controller?  If It does add that from the master, will I need to update my DNS to resolve that name to both IP Addresses? 

Guru Elite
Posts: 21,524
Registered: ‎03-29-2007

Re: Master-Local Questions

[ Edited ]

You will have to add a separate server certificate for that controller.

For each local controller, however, you need to put in the "ip cp-redirect-address" commandline configuration which is the ip address on the local controller that you want the captive portal hosted on.

Each local controller will automatically redirect traffic to the fqdn of the imported certificate. If you use a public CA to issue server certs to your controllers, your clients will only have to trust the CA that issues the certificates to your servers. Public CAs can tell you if all guest clients will do this.




Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 63
Registered: ‎05-21-2012

Re: Master-Local Questions

Is that still true when using Clearpass for my captive portals? 

 

The certificate is only called on the initial connection and the redirect back to the controller after authentication, correct?  I have a couple different subnets that are using this service.

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Master-Local Questions

If you did the CSR on a web server and have the private key to export, you
can use the same cert on both controllers.

If you did it on the controller, the private key is not exportable.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,524
Registered: ‎03-29-2007

Re: Master-Local Questions


ShawnShoe wrote:

Is that still true when using Clearpass for my captive portals? 

 

The certificate is only called on the initial connection and the redirect back to the controller after authentication, correct?  I have a couple different subnets that are using this service.


You will need a public certificate for any controller doing a redirect, as well as the ClearPass captive portal.  The initial web redirect is done by the controller needs to have a public certificate for a successful redirect, instead of a page prompting the user to trust it.  After the controller does the redirect, the ClearPass captive portal page used to authenticate guests, etc, needs to have a public certificate so that users do not have to manually trust it when they land on that page.  If neither the controller or clearpass has a public certificate, the user will be prompted twice : once to accept the certificate from the redirect, and once from the clearpass box.  That typically leads to a bad experience.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 63
Registered: ‎05-21-2012

Re: Master-Local Questions

Right.. I guess my question stems from your suggestion of using this command "ip cp-redirect-address".  I'm not currently using it on my master for my captive portal configurations with Clearpass, I just searched my config for it and it doesn't exist currently.  Is this something that is required because it will be a local controller or would I only need this if I was using the internal Captive Portal? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: