Product and Software: This article applies to all Aruba controllers running ArubaOS 3.3 and later.
Today, most hotels have their own captive portal. Internet access is not available before user password authentication, which prevents the remote AP from connecting to the controller.
This setup will work with the new RAP backup SSID feature. The backup configuration (also known as fallback mode) operates the remote AP if the master controller or the configured primary and backup LMS are unreachable. The remote AP saves configuration information that allows it to operate autonomously using one or more SSIDs in local bridging mode while supporting open association or encryption with PSKs.
A user can plug in the AP to hotel Ethernet port. The AP functions like a fat AP, which means it is the DHCP server, a NAT router, and it advertises a backup SSID. The user is able to connect wirelessly and pass captive portal authentication. After the Internet connection is up, the AP is able to connect to the controller and advertise the corporate SSID.
Here is the sample configuration:
1) Issue the following command, and use opensystem, staticwep, or wpa-psk:
config vlan ssid profile
SSID Profile "bk"
-----------------
Parameter Value
--------- -----
SSID enable Enabled
ESSID bk
Encryption opensystem
DTIM Interval 1 beacon periods
802.11a Basic Rates 6 12 24
802.11a Transmit Rates 6 9 12 18 24 36 48 54
802.11g Basic Rates 1 2
802.11g Transmit Rates 1 2 5 6 9 11 12 18 24 36 48 54
Station Ageout Time 1000 sec
Max Transmit Attempts 4
RTS Threshold 2333 bytes
Short Preamble Enabled
Max Associations 64
Wireless Multimedia (WMM) Disabled
WMM TSPEC Min Inactivity Interval 0 msec
Hide SSID Disabled
Deny_Broadcast Probes Disabled
Local Probe Response Enabled
WEP Key 1 ********
WEP Key 2 N/A
WEP Key 3 N/A
WEP Key 4 N/A
WEP Transmit Key Index 1
WPA Hexkey N/A
WPA Passphrase N/A
Maximum Transmit Failures 0
BC/MC Rate Optimization Disabled
2 config aaa profile.
AAA Profile "bk"
----------------
Parameter Value
--------- -----
Initial role bk
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
RADIUS Accounting Server Group N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
2) In the aaa profile, the initial role is important. At least two lines are needed:
Derived Role = 'bk'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 32/0
Max Sessions = 65535
access-list List
----------------
Position Name Location
-------- ---- --------
1 bk
bk
--
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any svc-dhcp permit Low
2 user any any route src-nat Low
Expired Policies (due to time constraints) = 0
The first line is to allow the client to get the IP address from the AP. (The AP is a DHCP server, configuration is below.)
The second line is to allow user traffic to be NATed.
3) Issue the following command:
config wlan virtual-ap
Virtual AP profile "bk"
-----------------------
Parameter Value
--------- -----
Virtual AP enable Enabled
Allowed band all
SSID Profile bk
VLAN 100
Forward mode bridge
Deny time range N/A
Mobile IP Enabled
DoS Prevention Disabled
Station Blacklisting Enabled
Blacklist Time 3600 sec
Authentication Failure Blacklist Time 3600 sec
Fast Roaming Disabled
Strict Compliance Disabled
VLAN Mobility Disabled
AAA Profile bk
Remote-AP Operation backup
4) Issue the following command:
config ap system profile
AP system profile "bk"
----------------------
Parameter Value
--------- -----
LMS IP 20.20.20.1
Backup LMS IP N/A
LMS Preemption Disabled
LMS Hold-down Period 600 sec
Master controller IP address 20.20.20.1
RF Band g
Double Encrypt Disabled
Native VLAN ID 1
SAP MTU N/A
Bootstrap threshold 8
Request Retry Interval 10 sec
Maximum Request Retries 10
Keepalive Interval 60 sec
Dump Server N/A
Telnet Disabled
SNMP sysContact N/A
AeroScout RTLS Server N/A
MMS RTLS Server N/A
RTLS Server configuration N/A
Remote-AP DHCP Server VLAN 100
Heartbeat DSCP 0
Session ACL N/A
Corporate DNS Domain N/A
The remote-ap DHCP server VLAN should match the VLAN ID configured in virtual-ap. No IP address needed for this VLAN interface.
5) Configure the primary SSID, virtual AP, and other items.
6) Apply these to the ap-group.
AP group "bktest"
-----------------
Parameter Value
--------- -----
Virtual AP bk
Virtual AP primary
802.11a radio profile default
802.11g radio profile default
Wired AP profile default
Ethernet interface 0 link profile default
Ethernet interface 1 link profile default
AP system profile bk
802.11a Traffic Management profile N/A
802.11g Traffic Management profile N/A
Regulatory Domain profile default
SNMP profile default
RF Optimization profile default
RF Event Thresholds profile default
IDS profile ids-low-setting