Community Feedback

last person joined: 3 hours ago 

How is the community doing? Do you have any questions or feedback related for the Airheads Community team? This is the place to let us know.
Expand all | Collapse all

AP-535 and Guest config

This thread has been viewed 14 times
  • 1.  AP-535 and Guest config

    Posted Dec 16, 2020 09:58 AM
      |   view attached

    Hello everyone,

    I try to achieve the following (see attached schema) :
    * an iAP (or a iAPCluster) on a site
    * One SSID that connect to a RADIUS to do EAP-TLS
    * One SSID that provide Guest access. This should be managed by the Ucopia box that is centralized into the Datacenter. This Ucopia is the DHCP server and the guest portal that should prompt when user on remote site try to connect.

    I was able to configure and connect via the green SSID (corporate with EAP-TLS) but I cannot find how to configure the red SSID (Deported Guest).

    Is that even possible ?

    Regards,



    ------------------------------
    GuillaumeR
    ------------------------------


  • 2.  RE: AP-535 and Guest config

    Posted Dec 18, 2020 05:18 AM

    Do you have the VLANs extended from your data-center to your branch? If so, create your SSIDs with the (tagged) VLANs on your IAP and the client will be placed in that VLAN.

    If you don't have an isolated path as in VLAN and/or VRF over your MPLS, you could use an Aruba controller/gateway to set up a VPN over the MPLS from IAP to the controller/gw in your datacenter to achieve the same.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: AP-535 and Guest config

    Posted Dec 21, 2020 03:21 AM

    Hello Herman,

    Thank you for your insight. The point of my question was to not have a VMC/VMM installation into the DC.

    We are currently on the edge of changing our wireless installation to switch completely to Aruba. But while waiting for the tender process to finalise we want to start provisioning new Aruba AP instead of the former brand (no point in buying new equipment if removed 3/4month from now). We are trying to do so without service discontinuity and with the minimum amount of architecture building (as it is included into the tender).

    Also we have many branch dispatch around the world and it won't be easy to create a VxLAN/VRF on our WAN. But dealing with captive portal, and guest config branch by branch directly onto Aruba AP + former provider is too much maintenance.

    Regards,



    ------------------------------
    Guillaume ROUX
    ------------------------------



  • 4.  RE: AP-535 and Guest config

    Posted Dec 21, 2020 04:17 AM

    Maybe others have suggestions.

    If you can't separate the traffic either L2 or L3 between guest and corporate, it will be a challenge to get the guest traffic routed to the external guest portal, while corporate traffic is routed through the DC/Internet. If the options for separation, tunnel/VRF on WAN or MC in the data center to build a VPN for guest (basically also tunnel) are not feasible, you might as an alternative have a look at policy-based routing in your DC and route the guest subnet/IPs to your guest gateway. The controller in your data center can be a relatively small one as it only needs to do VPN and if you don't have a MM, a single AP+PEF license would be enough to operate it with IAP VPN.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------