Wireless Access

Reply
Occasional Contributor II

Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Greetings,

 

We have recently got a 3200 wireless controller and a number of APs. We need to do a very basic deployment, i.e. two different WLANs, one for the employees and one for the guests. I have already gone through the Aruba Campus Wireless Networks document and, since I am not very familiar with the topic, I would like some guidance as to what type of connection (access or trunk) should be the controller uplink and general information on how to setup a WLAN with authentication. Links to tutorials or guides are more than welcome!

 

 

Super Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Management Vlan

Employee Vlan

Guest Vlan (unless you want to NAT out of one of the other interface)

 

These Vlan is a typical setup. Depending on your network setup things might need to be a little fancier. Like tunneling guest traffic to a controller in the DMZ. Or if you require .1x and Mach auth for employees.

 

Let’s start with this:

How many employees and how many employee connections do you think might be established at a given time? Remember an employee might have more than one wireless device.

 

Do you have a RADIUS server in place?

 

Are your employees in a domain and in Active directory?

 

 

 

We should be able to get you up and going. 

Sean Rynearson
Occasional Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Hi Sean,

 

Thank you for your prompt response!

 

Please find my comments below, I'll try to be as descriptive as possible:

 

Right now, we have connected the controller to our L3 switch (access port). VLAN 30 has been configured for the controller and APs as the management VLAN. The controller has been configured to act as a DHCP server for the APs in VLAN 30, which works fine.

 

We expect to have about 50-60 concurrent connections in the employee VLAN and much less in the guest VLAN. There is currently no RADIUS server, so I guess we have to use the controller's internal database.

 

Some more questions:

 

- I have created the employee and guest VLANs on the controller. Should the L3 switch be aware of these VLANs? From my understanding, this is not the case, right?

 

- Employees should be able to connect to the employee WLAN just by providing a WPA2 key, i,e. no 802.1X or MAC authentication

 

- There is no need for a captive portal for the guests, but they shouldn't be able to access any of the internal networks.

 

 

 

Occasional Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Hi again,

 

After some reading and fiddling, I have finally have a working Employee WLAN!

 

One problem: I have changed the user roles to "authenticated" in the default-dot1xAAA profile. When connecting through my laptop, everything works fine after I enter the key. If I connect with my mobile phone (Android), I get the "web authentication is disabled" message. Did I miss something?

Occasional Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

I think I can help with a few of your questions.....

 

"I have created the employee and guest VLANs on the controller. Should the L3 switch be aware of these VLANs? From my understanding, this is not the case, right?"

 

The L3 doesn't necessarily need to be involved.  There is an option called "Enable source NAT for this VLAN" which will allow the traffic to route over to the exiting uplink from the controller.  Not really the best way to do it, but it works.  I've got a controller setup that way myself.   A better way to do it would be to setup a rule in the policy that will NAT the traffic.

 

"Employees should be able to connect to the employee WLAN just by providing a WPA2 key, i,e. no 802.1X or MAC authentication"

 

Really depends on how you have it setup.  When you go through the WLAN wizard, make sure you setup it up as WPA2 Personal and not enterprise ifyou are wanting to use a PSK.  Keep in mind that using a PSK is not as secure if as 802.1x becuase if the password ever gets out, your network is able to be breached.  If you are using a domain controller with Active Directory, setting up RADIUS and 802.1x is actually pretty easy.

 

"There is no need for a captive portal for the guests, but they shouldn't be able to access any of the internal networks."

 

You would set this up with policies.  Even though it isn't specifically needed, I would still setup the portal to cath them and make it easier for them to logon to the network.  It also makes it somewhat easier to setup the appropriate policies to restrict access.

 

Hope this helps.

Occasional Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Hi,

 

Thank you for your answers.

 

In the end, we decided that employees should be authenticated with 802.1x. I tried to configure 802.1x using the internal database with no success.

 

The steps I followed are described below:

 

1) created VLAN

2) created firewall policy to allow everything

3) created user role and assigned the firewall policy

4) defined authentication server

5) defined server group with the above server as member

6) created 802.1x authentication profile with termination eap-type eap-peap

7) created aaa profile with dot1x-default-role logon & authentication-dot1x the 802.1x authentication profile I created above

8) created SSID

9) created VAP with the above aaa-profile & ssid-profile

 

I provision the APs with this configuration and the clients cannot connect. I can see them in the logon role for 5 seconds and then they disappear. Any ideas/help/directions?

 

Thank you in advance!

Super Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Show runing config and attach it to here. We will be able to follow the trail better. 

 

Also, what licenses are on the controller? 

Sean Rynearson
Occasional Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Hi Sean,

 

As you can see in the configuration I have attached, everything related to the employee WLAN has "AP-Employee" as a prefix.

Occasional Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

Any insights?

 

I'd really appreciate your help on this guys!

Super Contributor II

Re: Step-by-step tutorial for deploying 1 wireless controller with different VLANs

I will no be back to my office all weekend. You can always open a tac case if you have support.

I can take a look at this on Monday.
Sean Rynearson
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: