How do I configure a backup SSID in a hotel scenario?

By Arunkumar posted Jul 01, 2014 04:29 PM


Product and Software: This article applies to all Aruba controllers running ArubaOS 3.3 and later.


Today, most hotels have their own captive portal. Internet access is not available before user password authentication, which prevents the remote AP from connecting to the controller.


This setup will work with the new RAP backup SSID feature. The backup configuration (also known as fallback mode) operates the remote AP if the master controller or the configured primary and backup LMS are unreachable. The remote AP saves configuration information that allows it to operate autonomously using one or more SSIDs in local bridging mode while supporting open association or encryption with PSKs.


A user can plug in the AP to hotel Ethernet port. The AP functions like a fat AP, which means it is the DHCP server, a NAT router, and it advertises a backup SSID. The user is able to connect wirelessly and pass captive portal authentication. After the Internet connection is up, the AP is able to connect to the controller and advertise the corporate SSID.


Here is the sample configuration:

1) Issue the following command, and use opensystem, staticwep, or wpa-psk:


config vlan ssid profile


SSID Profile "bk"


Parameter Value

--------- -----

SSID enable Enabled


Encryption opensystem

DTIM Interval 1 beacon periods

802.11a Basic Rates 6 12 24

802.11a Transmit Rates 6 9 12 18 24 36 48 54

802.11g Basic Rates 1 2

802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54

Station Ageout Time 1000 sec

Max Transmit Attempts 4

RTS Threshold 2333 bytes

Short Preamble Enabled

Max Associations 64

Wireless Multimedia (WMM) Disabled

WMM TSPEC Min Inactivity Interval 0 msec

Hide SSID Disabled

Deny_Broadcast Probes Disabled

Local Probe Response Enabled

WEP Key 1 ********

WEP Key 2 N/A

WEP Key 3 N/A

WEP Key 4 N/A

WEP Transmit Key Index 1

WPA Hexkey N/A

WPA Passphrase N/A

Maximum Transmit Failures 0

BC/MC Rate Optimization Disabled

2 config aaa profile.

AAA Profile "bk"


Parameter Value

--------- -----

Initial role bk

MAC Authentication Profile N/A

MAC Authentication Default Role guest

MAC Authentication Server Group default

802.1X Authentication Profile N/A

802.1X Authentication Default Role guest

802.1X Authentication Server Group N/A

RADIUS Accounting Server Group N/A

User derivation rules N/A

Wired to Wireless Roaming Enabled


2) In the aaa profile, the initial role is important. At least two lines are needed:


Derived Role = 'bk'

Up BW:No Limit Down BW:No Limit

L2TP Pool = default-l2tp-pool

PPTP Pool = default-pptp-pool

Periodic reauthentication: Disabled

ACL Number = 32/0

Max Sessions = 65535



access-list List


Position Name Location

-------- ---- --------

1 bk



Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan

-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------

1 any any svc-dhcp permit Low

2 user any any route src-nat Low

Expired Policies (due to time constraints) = 0


The first line is to allow the client to get the IP address from the AP. (The AP is a DHCP server, configuration is below.)

The second line is to allow user traffic to be NATed.


3) Issue the following command:


config wlan virtual-ap


Virtual AP profile "bk"


Parameter Value

--------- -----

Virtual AP enable Enabled

Allowed band all

SSID Profile bk

VLAN 100

Forward mode bridge

Deny time range N/A

Mobile IP Enabled

DoS Prevention Disabled

Station Blacklisting Enabled

Blacklist Time 3600 sec

Authentication Failure Blacklist Time 3600 sec

Fast Roaming Disabled

Strict Compliance Disabled

VLAN Mobility Disabled

AAA Profile bk

Remote-AP Operation backup


4) Issue the following command:


config ap system profile


AP system profile "bk"


Parameter Value

--------- -----


Backup LMS IP N/A

LMS Preemption Disabled

LMS Hold-down Period 600 sec

Master controller IP address

RF Band g

Double Encrypt Disabled

Native VLAN ID 1


Bootstrap threshold 8

Request Retry Interval 10 sec

Maximum Request Retries 10

Keepalive Interval 60 sec

Dump Server N/A

Telnet Disabled

SNMP sysContact N/A

AeroScout RTLS Server N/A


RTLS Server configuration N/A

Remote-AP DHCP Server VLAN 100

Heartbeat DSCP 0

Session ACL N/A

Corporate DNS Domain N/A


The remote-ap DHCP server VLAN should match the VLAN ID configured in virtual-ap. No IP address needed for this VLAN interface.


5) Configure the primary SSID, virtual AP, and other items.


6) Apply these to the ap-group.


AP group "bktest"


Parameter Value

--------- -----

Virtual AP bk

Virtual AP primary

802.11a radio profile default

802.11g radio profile default

Wired AP profile default

Ethernet interface 0 link profile default

Ethernet interface 1 link profile default

AP system profile bk

802.11a Traffic Management profile N/A

802.11g Traffic Management profile N/A

Regulatory Domain profile default

SNMP profile default

RF Optimization profile default

RF Event Thresholds profile default

IDS profile ids-low-setting