Wireless Access

 View Only
Expand all | Collapse all

RAP Help

This thread has been viewed 34 times
  • 1.  RAP Help

    Posted Nov 07, 2024 06:12 PM

    I think I am missing something with the RAP configuration which for some reason I can't find in the documentation

    Configuration is as follows:
    Two Conductors

    Two Controllers

    1 subnet that directly connect to my router (VLAN 201)

    1 subnet configured on the router only (VLAN 25) for data communication

    My APs work flawlessly in Bridged mode connecting into VLAN 25

    I followed the steps to configure a remote AP and it will establish a tunnel succesfully to my Controllers with a 169.254.254.x address

    The problem i have is: How do I get a client connected to this AP?

    I can find instructions on the web how to do this?

    Ideally I want each remote AP to dynamically receive a small subnet /29 for instance and DHCP on the Remote AP.

    I cant find any documentation on how to do this however.

    Hope someone can help

    cd

    Thank you



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------


  • 2.  RE: RAP Help

    Posted Nov 08, 2024 05:26 AM

    Normally, you would run campus APs in tunneled mode. Then when you have a Remote AP, you can apply the same configuration and clients that connect and are assigned to let's say VLAN 25 break out at the controller, and will get their IP address from the DHCP server in VLAN25. For the network, it's then transparent wherever they connect. Bridging traffic on campus APs is deprecated, the controller architecture was designed to tunnel traffic, which makes RAP scenarios really simple if you want to offer the same service on campus and RAPs.

    Making it routed (small DHCP subnet) will make things much harder, and would more fit in the SD-Branch scenario, for RAP more specific micro-branch; which all is managed and orchestrated from Central. That architecture matches closer what you try to design.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: RAP Help

    Posted Nov 11, 2024 03:15 PM
    Edited by mvanoverbeek Nov 11, 2024 04:21 PM

    Thank you Herman and Carson

    This customer purchased the Conductors (virtual) and Controllers (virtual), so we were kind of stuck trying to make it work in the network.

    I changed my Mock setup and added a VLAN 122 which I routed through OSPF from the controllers to the rest of my environment

    Everything works fine for Campus APs, when I create a new wlan in tunneled mode I receive IP addresses from my DHCP server and everything works out fine.

    When I convert this Campus AP into a Remote AP, for some kind of reason whatever I try the passwords of the SSIDs always come up as incorrect, even for enhanced open.

    When I configured a wired profile all worked fine, I was able to receive an IP address in VLAN 122.

    I will keep tinkering but any gotchas would be appreciated to see why Wireless isn't authenticating the personal SSID? What am I overlooking? 

    Thank you



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 4.  RE: RAP Help

    Posted 28 days ago

    This sounds unexpected, but it can be basically anything. Approach would be to step by step troubleshoot where the issue is; which is quite hard in a forum where much information is missing, and finding the issue takes multiple steps each depending on the previous step. Interactive access would greatly help, and your Aruba partner or TAC may be better suited for that.

    One thing that I can think of, why in CAP mode it works but in RAP it doesn't, could be Control Plane Security, which is enabled by default and must have been disabled explicitly. For RAPs, control plane security is mandatory, but I believe for bridged on CAP as well, so I'm a bit clueless.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: RAP Help

    Posted 28 days ago

    Thanks Herman,

    Yes it actually got weirder and I probably just open a TAC case unless you have an idea. What I found is that my Windows 11 Laptop will not connect to the SSID of the RAP but my IPhone 13 connects fine. The AP is basically less than a meter away from my Iphone and Laptop so conditions are the same.

    I enabled some logging (see below), but I could not get any decent info from it.

    My last request would be, is there a particular logging level that comes to mind that I can explore? 

    Logging that I enabled. 

    logging security level debugging
    logging security subcat ids level warnings
    logging security subcat ids-ap level warnings
    logging wireless level debugging



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 6.  RE: RAP Help

    Posted 28 days ago

    What version of AOS 8?



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: RAP Help

    Posted 28 days ago

    Same version for controllers and conductors both are on: 8.10.0.14_90752 LSR

    As a side note I am using 345 APs



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 8.  RE: RAP Help

    Posted 24 days ago

    Is that SSID configured with WPA2/3-Enterprise? If some devices connect, others don't, and those that don't work on the campus AP, it may be an MTU issue with the certificate being too large. The RAP has a few additional bytes for the IPSec encapsulation.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: RAP Help

    Posted 24 days ago

    It turned out I should have broadened my test device scope. I tested a Windows 10 Laptop and a Macbook and they worked fine. I think it is something with this Windows 11 Laptop. 



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------



  • 10.  RE: RAP Help

    Posted Nov 08, 2024 10:03 AM

    IAP-VPN or Microbranch with a DL3 implementation is what you're after.

    https://www.arubanetworks.com/techdocs/central/sd-branch-ref-docs/iap-vpn-based-microbranch-solution-guide.pdf



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 11.  RE: RAP Help

    Posted 28 days ago

    Hi Carson,

    I know that might be better, but this customer was sold conductor/controller licenses and I am trying to set them up with the equipment that have. Also, I think I am quite close to getting in a stable state, accept with the strange behavior that Iphone can access the WiFi network through the RAP and my Windows 11 Laptop cannot.

    I will open a ticket with TAC to see what's going on.



    ------------------------------
    Martijn van Overbeek
    Architect, Netcraftsmen a BlueAlly Company
    ------------------------------