We have recently got a 3200 wireless controller and a number of APs. We need to do a very basic deployment, i.e. two different WLANs, one for the employees and one for the guests. I have already gone through the Aruba Campus Wireless Networks document and, since I am not very familiar with the topic, I would like some guidance as to what type of connection (access or trunk) should be the controller uplink and general information on how to setup a WLAN with authentication. Links to tutorials or guides are more than welcome!
Guest Vlan (unless you want to NAT out of one of the other interface)
These Vlan is a typical setup. Depending on your network setup things might need to be a little fancier. Like tunneling guest traffic to a controller in the DMZ. Or if you require .1x and Mach auth for employees.
Let’s start with this:
How many employees and how many employee connections do you think might be established at a given time? Remember an employee might have more than one wireless device.
Do you have a RADIUS server in place?
Are your employees in a domain and in Active directory?
We should be able to get you up and going.
Thank you for your prompt response!
Please find my comments below, I'll try to be as descriptive as possible:
Right now, we have connected the controller to our L3 switch (access port). VLAN 30 has been configured for the controller and APs as the management VLAN. The controller has been configured to act as a DHCP server for the APs in VLAN 30, which works fine.
We expect to have about 50-60 concurrent connections in the employee VLAN and much less in the guest VLAN. There is currently no RADIUS server, so I guess we have to use the controller's internal database.
Some more questions:
- I have created the employee and guest VLANs on the controller. Should the L3 switch be aware of these VLANs? From my understanding, this is not the case, right?
- Employees should be able to connect to the employee WLAN just by providing a WPA2 key, i,e. no 802.1X or MAC authentication
- There is no need for a captive portal for the guests, but they shouldn't be able to access any of the internal networks.
After some reading and fiddling, I have finally have a working Employee WLAN!
One problem: I have changed the user roles to "authenticated" in the default-dot1xAAA profile. When connecting through my laptop, everything works fine after I enter the key. If I connect with my mobile phone (Android), I get the "web authentication is disabled" message. Did I miss something?
I think I can help with a few of your questions.....
"I have created the employee and guest VLANs on the controller. Should the L3 switch be aware of these VLANs? From my understanding, this is not the case, right?"
The L3 doesn't necessarily need to be involved. There is an option called "Enable source NAT for this VLAN" which will allow the traffic to route over to the exiting uplink from the controller. Not really the best way to do it, but it works. I've got a controller setup that way myself. A better way to do it would be to setup a rule in the policy that will NAT the traffic.
"Employees should be able to connect to the employee WLAN just by providing a WPA2 key, i,e. no 802.1X or MAC authentication"
Really depends on how you have it setup. When you go through the WLAN wizard, make sure you setup it up as WPA2 Personal and not enterprise ifyou are wanting to use a PSK. Keep in mind that using a PSK is not as secure if as 802.1x becuase if the password ever gets out, your network is able to be breached. If you are using a domain controller with Active Directory, setting up RADIUS and 802.1x is actually pretty easy.
"There is no need for a captive portal for the guests, but they shouldn't be able to access any of the internal networks."
You would set this up with policies. Even though it isn't specifically needed, I would still setup the portal to cath them and make it easier for them to logon to the network. It also makes it somewhat easier to setup the appropriate policies to restrict access.
Hope this helps.
Thank you for your answers.
In the end, we decided that employees should be authenticated with 802.1x. I tried to configure 802.1x using the internal database with no success.
The steps I followed are described below:
1) created VLAN
2) created firewall policy to allow everything
3) created user role and assigned the firewall policy
4) defined authentication server
5) defined server group with the above server as member
6) created 802.1x authentication profile with termination eap-type eap-peap
7) created aaa profile with dot1x-default-role logon & authentication-dot1x the 802.1x authentication profile I created above
8) created SSID
9) created VAP with the above aaa-profile & ssid-profile
I provision the APs with this configuration and the clients cannot connect. I can see them in the logon role for 5 seconds and then they disappear. Any ideas/help/directions?
Thank you in advance!
Show runing config and attach it to here. We will be able to follow the trail better.
Also, what licenses are on the controller?
As you can see in the configuration I have attached, everything related to the employee WLAN has "AP-Employee" as a prefix.
I'd really appreciate your help on this guys!
As you're doing 802.1x EAP-PEAP authentication and terminating it on the controller you'll want to have a root CA and server certificate on your controller to secure the authentication.
Windows devices when connecting (by default) will attempt to validate the authentication server (controller in this case) using the certificate the server provides. This is possibly why it's failing. You could try to turn off "Validate server certificate" in the wireless settings on your client as a test. But I wouldn't leave it like this.
If at all possible though I'd try to use an external RADIUS server. Do you have Active Directory or LDAP that you can authenticate against?
Thank you for your reply!
All the tests were performeed using a Linux laptop and Android mobile phones, so no Windows clients. My guess is that something is missing or not configured correctly.
We need to use the controller's internal database for now and authentication against AD is what we will eventually move to in the near future.
Setting up RADIUS on AD is actually very easy. Does your domain controller run on 03 or 08? In 03 you will add IAS and use the RADIUS part from there, from 08 I forget exactly what it is called, but I think it is NAS (network access server??). It might just be worth scrapping what you've done and starting from scratch and setting it up the way you want it to work in the end instead of migrating a little at a time.
Thank you for the information.
There is no AD at this point, it is something that we will implement in the near future. That is the reason we need to use the controller's internal database for the time being.
Can you tell me what version of software you are running on the controller and can you give me a full description of what you are trying to accomplish? I'll try to put together a quick how to.
We are running ArubaOS 188.8.131.52. Our goal is to have 2 WLANs: one for the employees (WPA EAP-PEAP, authentication against the controller's internal database) and one for the guests (captive portal, authentication against the controller's internal database). Until now, we have tried to configure the employee WLAN (please refer to the attached configuration on a previous message). It would be great if you could complie a small step-by-step guide on how to accomplice this!
Try this. Let me know if it works or not.
Thank you very much for the guide.
I have a few questions:
1) Why do we select VLAN1 for the employee WLAN? In case we want a separate VLAN for the employees (as in our case), shouldn't we select it accordingly?
2) It seems that whatever I try to configure through the wizards, is not saved. Can I do something about it?
For the VLAN1 question, yes, you can select whatever you need. I just did 1 assuming that you weren't using a seperate VLAN.
For the wizards not saving question, I'm not sure. I have seen issues with different browsers not working quite right. I'm on 6.2 now on mine and the dashboard will not show up in firefox but looks fine in IE. Might want to try a new browser. Also make sure you click Finish as long as it shows up. Some of the wizards have to get clicked 2 or 3 times. Last, try upgrading your software again. It could be corrupt. If all of that fails, you'll want to open a ticket with support.
Were you able to get it working?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.