Wireless Access

Hello,

 

I've inherited a medium sized campus Aruba install and I'm deploying a branch site with just a couple of AP's and a 7005 controller.  I've noticed all of the Master/Local design guides are designed around campus implementations and don't discuss remote sites.

 

Would configuring the remote site controller as a Local controller and tying it back to the master at HQ be a proper deployment model, or are there disadvantages?

 

My initial plan was to configure the remote site controller as a standalone.

 

There are some limitations on the Instant OS, that affect my deployment, which is why I'm using a Mobility Controller for this site.  The main things I'm trying to accomplish are as follows:

 

1. Local routing (I don't want traffic to tunnel back to HQ to route)

2. Survivability - Local clients will point to local auth servers, etc. so local operation will continue if the WAN link goes down.

 

My understanding is that I can do all of this with the master/local model and it will allow me to centralize configuration.

 

The one thing I'm somewhat confused about though is that I use the local DB for guest access.  Would this be synced from the master to the local?

 

Is the only issue with a split that I wouldn't be able to make new configuration on the local until connectivity is restored?

 

Sorry for so many questions.

 

Thanks for your help!

 

 

Yes, this would be a common deployment.

 

In order to sync the internal db, you would have to use AirWave. The longer term solution would be to use your RADIUS server for guest management.

Thanks for the reply!  That makes my decision a lot clearer.  We're not using airwave, so I will deploy the remote controller as a standalone.

 

My long term clean up plan involves implementing a better solution for guest management.  I'll addressa possible re-design then.

 

Thanks!

 

 

I would still do master-local. Management is much easier than maintaining multiple controllers separately.

If running master/local with guest on internal DB, does that mean that guest auth will only work if the local can reach the master?  Is it all proxied through the master?

 

Also, on that note, we're terminating radius on the controller and authenticating with ldap on the back end.  Would this still work if the local auth profile pointed to a local ldap server?  Would it continue to work locally if WAN connectivity was lost?  Or would this need to be proxied through the controller as well?

 

Thanks!

Both standalone and master/local cannot use another controller's internal db. You could setup a GRE tunnel for guest from the local to the master, which would hten use the master's database, however this would not work if the master was down.

 

For the LDAP stuff, you would esentially clone your AAA profiles and server groups and reference the local LDAP servers instead of the central ones. It will not be proxied.

So for the local DB guest stuff, in master/local, I could still manage the local DB of the local and add guests there?  Then any policy that referenced the local DB would reference whichever one was on the local controller?

Yes, that's correct.

To make the local switch authenticate guest users locally rather than against the master, the command is on the local.

Aaa authentication-server internal use-local-switch