I have a customer who wants to set up their Instant AP's using EAP-TLS, to match the WLAN configuration they use in their head office. They will be using the Instants with VPN to give roaming users access back to the office. Kind of like a RAP, but without the RAP licensing.
They are using an IAS server for Radius / 802.1x authentication.
My question is, how do I get this working with the Instant APs? These will be deployed all over the place like RAP's with dynamic addresses. So we can't create Radius Clients for them in IAS.
I know that I can install certificates on the Instant and have EAP terminate on the Instant, but do I need to install a unique certificate on each Instant? Or can use the same server certificate on each instant? And what about the subject name, etc. for the certificate?
Just to get clarity, when you say Instant with VPN to give remote access back to office means, are we trying to terminate the Instant Access point to do VPN back to the head office controller ? please confirm. If yes, below link should give the procedure to configure it.
For instant on EAP-TLS, find below link.
****************************************************************************Aruba Airheads - Powered By community for empower the community************ Don't Forget to Kudos + me,If i helped you******************
If you have the PEFV license on the controller, you can alter the default-iap role and source-NAT RADIUS packets out of the controller. From the perspective of IAS, ALL instant APs and sites would look like auth requests coming from the controller's IP and not the IAP's IP.
This is explained in detail in the Instant User guide which covers both the IAP config as well as the controller config.
(host) (config) #ip access-list session iaprole(host) (config-sess-iaprole)#any host <radius-server-ip> any src-nat <--- this line will source NAT ALL RADIUS requests to the IAS server as the Controller IP and NOT the individual IAP IPs.
(host) (config-sess-iaprole)#any any any permit
(host) (config-sess-iaprole)#!(host) (config) #user-role iaprole(host) (config-role) #session-acl iaprole
You then apply that role to the "default-iap" auth profile found in "Authentication --> L3 Authentication" on the controller
(host) (config) #aaa authentication vpn default-iap
(host) (VPN Authentication Profile "default-iap") #default-role iaprole
Seth, thank you, that's exactly what I was looking for.
They don't have PEFV licenses, but I'll work on that.
Yeah...so in order to alter the defailt IAP role, you will need the PEF-V. EDITED>>>
Yeah, licensing has been a real pain on this one. It was sold to the customer with no licenses, because someone thought you don't need any licenses to set up IAP+VPN. But then it was scoped to me as a RAP installation...
so you're saying that with 30 IAP's, all I will need is 1x PEFV and 1xPEFNG ? Not 30x each?
EDITED FROM BEFORE!!!
Couple of things.
1. The PEFV license is a box license so think of it as a feature enablement license. You would only need one.
2. The PEFNG license does not allow you to alter the default-vpn role that the IAPs are assigned
In your situation, you will need 1 PEFV license per controller. This will allow you to alter the default-vpn role or assign a different role in the controller where the IAPs are assigned when they connect their VPNs.
Technically, you were sold the solution correctly. You do not need any licenses to terminate the IAPs to a controller. A controller out of the box will allow you to configure itself as a VPN concentrator for the IAPs. However, you need to source NAT RADIUS authentication traffic. Therefore, you will need to create source NAT firewall rules which will require the PEFV license in order to enable that area of the controller's config and feature set.
Hopefully this made some sense!
Ok, so in this case the controller is being used exclusively to terminate the IAP VPNs, so all I will need is the PEF-NG license, correct?
No...you will need one PEF-V license in order to accomplish this.
I would get an eval license in place in the meantime so you can accomplish and test this in short order.
Hmmm... still not working. I can see the IAP in the controller, and it is assigned to the iaprole, but still not getting through to the Radius server...
You should start looking at the IAP config in the VPN settings. Do you have Dynamic RADIUS proxy enabled in the admin screen?
Yes, dynamic radius proxy is set.
Also, VPN settings are pretty straightforward - IPSec, and routing is set to use the controller IP as the default gateway.
The SSID VLAN is set to "statically assigned' and points to the client vlan 13, which is configured on the controller.
I have a L2,Centralized DHCP scope set up, for VLAN13. Enabled DHCP relay in that, pointing to their DHCP server IP.
Any chance you can post the configs from both IAP and controller? If you strip down the SSID to a PSK or open, does the VPn tunnel to HQ work?
Also, the output of "show iap table long"
To anyone reading this thread - I made some corrections in my licensing requirements for this scenario. I had previously wrote that the PEFNG license would work for this situation. However, I incorrectly stated that. You require PEF-V license for anything related to changing the roles or policies for the IAPs.
NOTE: In most situations, using the VPN functionality with IAPs will not require ANY licenses.
Even when using open authentication, I still can't get into the corporate VLAN's. So that's likely where the problem is. Now I just need to find out why.
More info: When connecting to the CorpNet-test WLAN, users should be placed into VLAN 13 which exists on their LAN. The controller is configured for VLAN 13, and this works when using a RAP.
(Aruba3200) #show iap table long^% Invalid input detected at '^' marker.
(Aruba3200) #show iap table
Branch Key Index Status Inner IP MAC Address Subnet---------- ----- ------ -------- ----------- ------e08b7d4501281ae829dbae1edb29b03d8bac95cde9c74dd06a 1 UP 172.17.2.3 00:0b:86:8d:fd:ca7239dace01c6309af9eb7c81b8670a22f41b74651160d5a5a1 0 DOWN 0.0.0.0 00:0b:86:83:4a:4f
The IAP config:
version 184.108.40.206-3.3.0virtual-controller-country CAvirtual-controller-key *name corp-Instantterminal-accessclock timezone none 00 00rf-band alldynamic-radius-proxy
routing-profileroute 10.10.0.0 255.255.0.0 10.10.0.230route 10.14.0.0 255.255.0.0 10.10.0.230route 10.13.0.0 255.255.0.0 10.10.0.230route 10.12.0.0 255.255.254.0 10.10.0.230
armwide-bands 5ghzmin-tx-power 18max-tx-power 127band-steering-mode prefer-5ghzair-time-fairness-mode fair-accessclient-awarescanning
syslog-level warn ap-debugsyslog-level warn networksyslog-level warn securitysyslog-level warn systemsyslog-level warn usersyslog-level warn user-debugsyslog-level warn wireless
vpn primary 220.127.116.11
mgmt-user admin *
wlan access-rule basicrule any any match any any any permit
wlan access-rule corpNet-testrule any any match any any any permit
wlan access-rule default_dev_rulerule any any match any any any permit
wlan access-rule default_wired_port_profilerule any any match any any any permit
wlan access-rule wired-instantrule 192.168.220.149 255.255.255.255 match tcp 80 80 permitrule 192.168.220.149 255.255.255.255 match tcp 4343 4343 permitrule any any match udp 67 68 permitrule any any match udp 53 53 permit
wlan ssid-profile basicenableindex 0type employeeessid basicwpa-passphrase *opmode wpa2-psk-aesmax-authentication-failures 0vlan guestrf-band allcaptive-portal disabledtim-period 1inactivity-timeout 1000broadcast-filter noneblacklistdmo-channel-utilization-threshold 90local-probe-req-thresh 0max-clients-threshold 64
wlan ssid-profile corpNet-testenableindex 1type employeeessid corpNet-testopmode wpa2-aesmax-authentication-failures 0vlan 13auth-server corp-Radiusrf-band allcaptive-portal disabledtim-period 1inactivity-timeout 1000broadcast-filter noneblacklistdmo-channel-utilization-threshold 90local-probe-req-thresh 0max-clients-threshold 64
auth-survivability cache-time-out 24
wlan auth-server corp-Radiusip 10.10.0.103port 1812acctport 1813key *
wlan external-captive-portalserver localhostport 80url "/"auth-text "Authenticated"
blacklist-time 3600auth-failure-blacklist-time 3600
ip dhcp Vlan13_DHCPserver-type Centralized,L2server-vlan 13dhcp-relaydhcp-server 10.10.1.6
wired-port-profile default_wired_port_profileswitchport-mode trunkallowed-vlan allnative-vlan 1shutdownaccess-rule-name default_wired_port_profilespeed autoduplex fullno poetype employeecaptive-portal disableno dot1x
wired-port-profile wired-instantswitchport-mode accessallowed-vlan allnative-vlan guestno shutdownaccess-rule-name wired-instantspeed autoduplex autono poetype guestcaptive-portal disableno dot1x
uplinkpreemptionenforce nonefailover-internet-pkt-lost-cnt 10failover-internet-pkt-send-freq 30failover-vpn-timeout 180
airgroupservice airplaydisabledescription AirPlayid _airplay._tcpid _raop._tcp
airgroupservice airprintdisabledescription AirPrintid _ipp._tcpid _pdl-datastream._tcpid _printer._tcpid _scanner._tcpid _universal._sub._ipp._tcpid _printer._sub._http._tcpid _http._tcpid _http-alt._tcpid _ipp-tls._tcpid _fax-ipp._tcpid _riousbprint._tcpid _cups._sub._ipp._tcpid _cups._sub._fax-ipp._tcpid _ica-networking._tcpid _ptp._tcpid _canon-bjnp1._tcp
Finally got it all working.
1. Added default route in the IAP VPN for all traffic to go to the Controller IP (0.0.0.0 0.0.0.0 10.10.0.230)
2. Removed the DHCP relay address from the IAP / DHCP server config. It already exists on the VLAN on the controller, so this was causing confusion.
3. Set up src nat as described above. Added a trial license for PEF-V for now.
4. Corrected a typo in the Radius server IP address on the IAP :s
Fun & good times :)
Thanks for all the help!
Great! you saved me a few screen shots that I was just replying back with! Glad it is working.
Keep in mind...if you don't want the PEFV license, you can add the L2TP Inner IP addresses from the pool (assigned to the IAPs) to the RADIUS server. I believe that the IAS can accept a network as one NAS entry but I may be wrong.
I know we can do that with ClearPass.
Yes, I could add the inner IP pool subnet as a Radius client, but there is no route to the inner pool from their network. This customer does not want to change any routes on their network, hence the L2-centralized setup.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.