Wireless Access

Reply
Occasional Contributor I

Using the RAP-2WG Ethernet port

We are using an Aruba 620, using 6.1.3.6 if I recall correctly. Will have to verify tomorrow when I'm at work again. I have whitelisted the RAP and it is able to connect to the controller from a home connection. The wifi is working and is connected to VLAN3. Now I'm trying to connect the E1 port to VLAN3 as well (layer 2 mode).

 

I tried enabling the AP mode in the AP-SYSTEM-PROFILE and I set the profile so that Ethernet1 is no longer shutdown, is in tunnel mode and connected to VLAN3.

 

For some reason, it doesn't seem to work. The ethernet ports keeps connecting to VLAN1 instead. Sometimes it connects to VLAN3 for a minute or so, right after I have set the profile settings. But it almost seems that as soon as I click anywhere else in the web interface, it goes back to VLAN1 again. Is the web interface buggy? Do I need to press the 'save configuration'-button for it to work properly?

 

What else could be going on? Is it even able to do BOTH wifi and an ethernet port? Also, does it matter how I configure Ethernet0? Since that's the port that's actually connecting the RAP to the internet. Or are provisioning settings for that port ignored?

Guru Elite

Re: Using the RAP-2WG Ethernet port

In the wired AP profile, you need to Enable, Make it trusted and put the VLAN (3 in your case) in and click on Apply.

 

You do not need to configure ethernet0, just enet1



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Using the RAP-2WG Ethernet port

Aha, the trusted-part might be the thing that I have skipped. Will try tomorrow. Thanks. I still don't understand why an untrusted port would force it to VLAN1 instead of VLAN3 though. But it's certainly worth a try!

Occasional Contributor I

Re: Using the RAP-2WG Ethernet port

Awesome. Setting it to trusted makes it work. So that means that if you disable trusted, VLAN1 gets assigned to the port and if you enable trusted, the VLAN that you selected (in my case VLAN3) gets assigned to the port. Pretty strange behaviour, but it works.

 

Another thing I found: if I set the mode to split-tunnel, it works as well, without setting trusted (actually, setting split-tunnel forces Trusted to disabled).

 

Another thing I found: if I go to Monitoring and then click Clients, the wired client does not appear to show in the list if the port is Trusted. If I disable Trusted (and thus the port connects to VLAN1), then the wired client DOES show under clients. If I set the mode to 'split-tunnel' and the port connects to VLAN3, the client also DOES show in the list. So setting trusted makes it so that clients DO NOT show in the client list. Strange.

 

Is there any good documentation on all this behaviour? I can get it to work now, but I would like to understand why it does what it does.

 

PS: tnx for the help.

Guru Elite

Re: Using the RAP-2WG Ethernet port

"Untrusted" will force clients to authenticate in some way.  It will put them in a role that typically triggers a captive portal.  The default role for making a client untrusted is the "logon" role.  If that role is assigned to VLAN 3, that is why your clients are probably ending up there.

 

Split tunneling would allow you to designate some traffic to tunnel back to corporate and some traffic to stay local to the site.  You would have to write rules to permit (tunnel back to corporate) and route (send local to the site) traffic to make this work how you would want it.  There are  resources on how to setup split tunneling if you search the knowledgebase here:  http://support.arubanetworks.com/KNOWLEDGEBASE/tabid/133/Default.aspx

 

Making a port just simply puts users on a VLAN without any restrictions and it is the easiest way to establish connectivity on a port.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Using the RAP-2WG Ethernet port

I'm sorry, but I do not fully undertand (yet).

 

[quote] If that role is assigned to VLAN 3, that is why your clients are probably ending up there.[/quote]

Did you mean to say VLAN1 instead of VLAN3? And where can I see what roles are assigned to a VLAN? VLAN1 is our default vlan, might that be the reason it's choosing that?

 

[quote]Making a port just simply puts users on a VLAN without any restrictions and it is the easiest way to establish connectivity on a port.[/quote]

Do you mean to say 'Making a port trusted' ?

 

What I'm trying to achieve is putting a user at home in VLAN3 without any restrictions. So making the port trusted should be the way to go? We would like to whitelist a certain list of mac-adresses though and block the rest, for security. Is this possible? I know it can be done for WiFi, but this is ethernet.

 

Thanks again for your help.

Guru Elite

Re: Using the RAP-2WG Ethernet port

Just make the port trusted, yes.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Using the RAP-2WG Ethernet port

Thank you.

 

Now I'll go to the next step and try and google and read manuals to find out how to do the mac-filter, so that only certain devices can succesfully connect to the wired rap port.

Guru Elite

Re: Using the RAP-2WG Ethernet port

You prpbably just want to search the knowledgebase here http://support.arubanetworks.com/KNOWLEDGEBASE/tabid/133/Default.aspx for wired mac Authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Using the RAP-2WG Ethernet port

(had to change username because I had to re-signup to get customer access)

 

Thank you, I used https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126 , which was very helpful.

 

It does not mention that I need to change the "inital role" in the AAAProfile from 'authenticated' to something less, like 'denyall', but it seems that you have to do if you want for mac-filtering.

 

Question1: what is the point of "MAC Authentication Default Role" if it gets overwritten by the role of the user in the internal-db?

 

Question2: if I create a user in the database with the mac-address as a username and password, would that allow VIA-clients to connect with that username/password combination as well? What if I don't want users to login with mac-address users? I only want that user to be used for mac-authentication.

 

Thanks again.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: