Maybe others have suggestions.
If you can't separate the traffic either L2 or L3 between guest and corporate, it will be a challenge to get the guest traffic routed to the external guest portal, while corporate traffic is routed through the DC/Internet. If the options for separation, tunnel/VRF on WAN or MC in the data center to build a VPN for guest (basically also tunnel) are not feasible, you might as an alternative have a look at policy-based routing in your DC and route the guest subnet/IPs to your guest gateway. The controller in your data center can be a relatively small one as it only needs to do VPN and if you don't have a MM, a single AP+PEF license would be enough to operate it with IAP VPN.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Dec 21, 2020 03:21 AM
From: Guillaume ROUX
Subject: AP-535 and Guest config
Hello Herman,
Thank you for your insight. The point of my question was to not have a VMC/VMM installation into the DC.
We are currently on the edge of changing our wireless installation to switch completely to Aruba. But while waiting for the tender process to finalise we want to start provisioning new Aruba AP instead of the former brand (no point in buying new equipment if removed 3/4month from now). We are trying to do so without service discontinuity and with the minimum amount of architecture building (as it is included into the tender).
Also we have many branch dispatch around the world and it won't be easy to create a VxLAN/VRF on our WAN. But dealing with captive portal, and guest config branch by branch directly onto Aruba AP + former provider is too much maintenance.
Regards,
------------------------------
Guillaume ROUX
Original Message:
Sent: Dec 18, 2020 05:17 AM
From: Herman Robers
Subject: AP-535 and Guest config
Do you have the VLANs extended from your data-center to your branch? If so, create your SSIDs with the (tagged) VLANs on your IAP and the client will be placed in that VLAN.
If you don't have an isolated path as in VLAN and/or VRF over your MPLS, you could use an Aruba controller/gateway to set up a VPN over the MPLS from IAP to the controller/gw in your datacenter to achieve the same.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Dec 16, 2020 09:58 AM
From: Guillaume ROUX
Subject: AP-535 and Guest config
Hello everyone,
I try to achieve the following (see attached schema) :
* an iAP (or a iAPCluster) on a site
* One SSID that connect to a RADIUS to do EAP-TLS
* One SSID that provide Guest access. This should be managed by the Ucopia box that is centralized into the Datacenter. This Ucopia is the DHCP server and the guest portal that should prompt when user on remote site try to connect.
I was able to configure and connect via the green SSID (corporate with EAP-TLS) but I cannot find how to configure the red SSID (Deported Guest).
Is that even possible ?
Regards,
------------------------------
GuillaumeR
------------------------------