Hello everyone,I try to achieve the following (see attached schema) :* an iAP (or a iAPCluster) on a site* One SSID that connect to a RADIUS to do EAP-TLS* One SSID that provide Guest access. This should be managed by the Ucopia box that is centralized into the Datacenter. This Ucopia is the DHCP server and the guest portal that should prompt when user on remote site try to connect.I was able to configure and connect via the green SSID (corporate with EAP-TLS) but I cannot find how to configure the red SSID (Deported Guest).
Is that even possible ?Regards,
Do you have the VLANs extended from your data-center to your branch? If so, create your SSIDs with the (tagged) VLANs on your IAP and the client will be placed in that VLAN.
If you don't have an isolated path as in VLAN and/or VRF over your MPLS, you could use an Aruba controller/gateway to set up a VPN over the MPLS from IAP to the controller/gw in your datacenter to achieve the same.
Thank you for your insight. The point of my question was to not have a VMC/VMM installation into the DC.
We are currently on the edge of changing our wireless installation to switch completely to Aruba. But while waiting for the tender process to finalise we want to start provisioning new Aruba AP instead of the former brand (no point in buying new equipment if removed 3/4month from now). We are trying to do so without service discontinuity and with the minimum amount of architecture building (as it is included into the tender).
Also we have many branch dispatch around the world and it won't be easy to create a VxLAN/VRF on our WAN. But dealing with captive portal, and guest config branch by branch directly onto Aruba AP + former provider is too much maintenance.
Maybe others have suggestions.
If you can't separate the traffic either L2 or L3 between guest and corporate, it will be a challenge to get the guest traffic routed to the external guest portal, while corporate traffic is routed through the DC/Internet. If the options for separation, tunnel/VRF on WAN or MC in the data center to build a VPN for guest (basically also tunnel) are not feasible, you might as an alternative have a look at policy-based routing in your DC and route the guest subnet/IPs to your guest gateway. The controller in your data center can be a relatively small one as it only needs to do VPN and if you don't have a MM, a single AP+PEF license would be enough to operate it with IAP VPN.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.