Wireless Access

last person joined: 11 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

RAP 2wg

  • 1.  RAP 2wg

    Posted Mar 09, 2012 10:21 AM

    Hi There,


    We have a guest SSID broadcasted on Campus AP and Remote AP and we want to apply different policy to clients

    connected to RAP. Is there any way to distinguish between client connected to CAP and client connected to RAP?

    We are using RADIUS server for authentication. 




  • 2.  RE: RAP 2wg

    Posted Mar 09, 2012 10:38 AM

    Are the RAP and CAP are in different AP-group ?


    If yes, you can use the same SSID profile with different AAA profile, you can map the respective roles to the users connecting CAP and RAP. 



  • 3.  RE: RAP 2wg

    Posted Mar 16, 2012 11:24 AM

    Yes, the CAP and RAP are in different AP groups.


    The users that connect either to RAP or CAP are getting the same server derived role because they are authenticated

    by the same network policy on the radius server. So by specifying different AAA profie with different default role does not help

    because the default role will not be assigned if the server derived role is present.


    If  i move the RAP to a different controller then based on the NAS ID i can specify different value to the radius attribute on the

    network policy and then the server derived role will be different. I tested this by moving the CAP to another controller and it works.


    Is it possible to move the RAP from the master to a local controller?  



  • 4.  RE: RAP 2wg

    Posted Mar 16, 2012 11:42 AM

    Sure Remote APs (RAPs) can terminate on any reachable controller.     You can set the LMS-IP address in the AP system profile within the AP-Group to the desired controller that you are trying to have the remote AP terminate upon.  




          LMS-IP  field   == controller to terminate upon (aka. users will 'pop up' on)

  • 5.  RE: RAP 2wg

    Posted Mar 23, 2012 06:42 PM
    Actually, you don't even need to move the RAP... If you create a new radius entry for your radius server, you can specify a different NAS-ip, which would allow you to apply a different radius policy for that AP group. Of course, you'd subsequently have to create a new aaa profile and virtual AP in order to implement it... But it is doable. We use NAS-ip to trick our radius servers all the time, and it works great. Hope this helps! - Jay