Controllerless Networks

I have an AP-515, with ArubaOS 8.4.0.0.  It defaults to Instant/controller-less mode.  I'm trying to convert it to CampusAP mode.  Supposedly, this is possible through DHCP option 43.  

I'm testing with one AP, I expect to have hundreds, so individual conversion is not viable.  I cannot join them to my existing aruba-master, because it's supporting our older APs, and the AP-515 emits a console message "SAPD: Unable to contact switch: HELLO-NOT_SUPPORTED_AP_TYPE", then reboots.  

First of all, the instructions at "https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/content/arubaframestyles/dhcp_option_43/linux_dhcp_servers.htm?Highlight=%20dhcp" are wrong.  I can watch the packets, and see that the AP is sending DHCP discover packets with vendor id "ArubaInstantAP".  So the match has to look for that string.  This matches the reference documentation at "https://community.arubanetworks.com/t5/Validated-Reference-Design/Aruba-Instant-Validated-Reference-Design-V2-0/ta-p/456734?collapse_discussion=true&q=instant%20%20dhcp&search_type=thread".  But that doesn't tell how to format the reply.  I can't figure out what to send back in options 60 and 43.

If I send back option 60 "ArubaInstantAP" and the server IP, formated as specified in the linux_dhcp_servers.htm link, I get a console error message "Jan 1 00:00:37 udhcpc[4532]: DHCP OPT 43 format Invalid".  I tried a dozen other formats, ie the IP in ascii, without the leading 2b:04, etc.  Nothing worked.  

 If I send back "AubaAP" and the server IP in the format from the linux_dhcp_servers.htm, it gives a console message about option 60 being ArubaAP, says nothing about option 43, and doesn't send any packets to the specified server.  After about 10 minutes it reboots again, and will no longer accept the default username/password, nor any other I know.  It's web page still says "Welcome to Instant".  it never attempts to contact the server's ip.  

If I omit the option 60  vendor-class-identifier, it produces an error about DHCP OPT 60 NULL, never says anything about option 43, and doesn't work.  

How do I format option 43 to trigger conversion to CampusAP on an Instant AP-515?  

BTW, I also found a bug where the AP will never acknowledge a DHCP offer from a server on the same vlan.  It doesn't pick up the offered ip, doesn't send the per-ip request, and never emits any console messages about parsing the dhcp response.  It eventually falls back to the standard 169 self-ip.  The dhcp offer MUST be relayed through a router.  I have no idea why.  

The first help article you are referring to is factually correct but it provides the instructions of how you need to structure the options, if you want to leverage DHCP for Master Discovery (for a CAP) - which is how the CAP finds its controller. This is an alternative to the ADP/DNS-based discovery mechanisms. It requires the AP to be provisioned as CAP though already. It is not referring to IAP to CAP conversioin.

A few questions that might help narrow down the issue:

• Controller model/SW version?
• Have you previously used this AP in Instant mode and therefore converted it from UAP (shipping from factory) to Instant by uploading the 8.4.0.0 image manually? Your capture indicates you have already converted to IAP.

You could leverage Aruba Activate for the conversion to CAP as well: https://blogs.arubanetworks.com/solutions/what-is-aruba-activate/

It is particularly handy when converting large numbers of factory-default IAP to CAP (assuming the connectivity prerequisites are met).

My controller is an Aruba7280 with 8.4.0.1.  My test AP is a 515 in factory config.  I even did a factory reset on it before testing.  I believe that's the "manufacturing" stripped down version of Instant.  I have never manuall converted this ap to Instant.  Even if I had, the factory reset should have purged that?

The first article gives an example of how to configure an ISC DHCP server.  It seems to be only for APs that are already in Campus AP mode.  It is factually very, very wrong for Instant APs.  For starters, they identify themselves with option 60 = "ArubaInstantAP".  It's matching on "ArubaAP".  

I cannot use ADP because that's broadcast based, and local to the vlan.  I don't have a controller on every vlan.  

I cannot use the DNS discovery mechanism, because it searches for aruba-master.udel.edu.  That is my old controller, running my over three thousand existing APs.  If this AP tries to contact it, I get an error about unsupported model.  

I cannot use Aruba Activate, because neigher my airwave nor my APs are reachable from the internet.  Our security group would never allow that.  Both are on 10.x.x.x IPs, that are not routable on the internet.  

My boss may have found the solution.  The example isc dhcp config is wrong for factory AP-515s.  It might work for older APs, and APs already in campus mode, but not for 515s in factory mode.  You have to have two matching stanzas, one for ArubaInstantAP and one for ArubaAP.  The factory image sends option 60, vendor-class-identifier "ArubaInstantAP".  Once it's converted to Campus mode, it sends "ArubaAP".  Regardless of which one it sends, the dhcp server must reply with option 60 "ArubaAP".  It must never respond with ArubaInstantAP.  Then you have to put the controller IP address, and only the controller IP address, in "ip-address" 4 octet form, in option 43.  

The first time the AP boots.  It will send a dhcp discover with option 60 set to ArubaInstantAP, and come up as an Instant AP.  There will be a bunch of console messages, then it will appear ready.  You can connect to it on port 443, and see a "Welcome to Instant" login page.  It will not be registered with the controller.  

After about 10 minutes or so it will say "Received SIGTERM" on the console, and reboot.  It won't announce this conversion, or say anything during it.  You just have to wait and hope.

When it comes back up the second time, it will send a DHCP discover with option 60 set to "ArubaAP".  Then it will issue normal boot messages and also say "uap conversion successful".  Then it will reboot again.  This boot only takes about a minute.  

The third time, it will identify with "ArubaAP", boot, say "Rebooting after setting cert_cap=1. Need to open a secure channel(IPSEC)", and reboot.  Again, this only takes about a minute.    

The fourth time, it comes up as a Campus AP, and registers with the controller.  

option serverip code 43 = ip-address;
class "vendor-class" {
    match option vendor-class-identifier;
    }

shared-network shn163 {
    subnet 10.2.163.192 netmask 255.255.255.192 {
        option subnet-mask 255.255.255.192;
        option routers 10.2.163.193;
        option broadcast-address 10.2.163.255;

        subclass "vendor-class" "ArubaInstantAP" {
            option vendor-class-identifier "ArubaAP";
            option serverip 10.2.163.132;
            }

        subclass "vendor-class" "ArubaAP" {
            option vendor-class-identifier "ArubaAP";
            option serverip 10.2.163.132;
            }
        range 10.2.163.194 10.2.163.241;
        }

    subnet 128.175.163.192 netmask 255.255.255.192 {
        option subnet-mask 255.255.255.192;
        option routers 128.175.163.193;
        option broadcast-address 128.175.163.255;
        }
    }

Good catch, thanks for sharing.

Your observation is acutally in line with the UAP boot process, though I am suprised to see the UAP conversion takes 10min.

I wasn't aware that the UAP sends its vendor-class identifier with "ArubaInstantAP" when booting on the UAP image. Probably true for all UAP models then.