Controllerless Networks

Hello,

I recently got an IAP-305, and configured it via the wifi ConfigureMe wifi network that came up. After setting up a few VLANs, converting it to a standalone AP, and changing admin password, the ConfigureMe network dissapeared. Now, I am unable to figure out how to log back in.

The setup:

IAP <---> Switch <---> pfSense box

I don't have a console cable. I've tried the instant.arubanetworks.com:443 address in a browser from both a home and management wifi VLAN, as well as <ip>:443 from over wired ethernet. Nothing seems to work.

Was there additional configurations that I needed to make to allow gui access via wifi? Am I even able to log into GUI over the wired ethernet?

instant.arubanetworks.com only works if you are connected via the wireless of the IAP, not from the wired. Also, while you should get a redirect, the WebUI is running on port 4343: https://instant.arubanetworks.com:4343/

From the native VLAN of your IAP, you should be able to access the WebUI as well if you know the IP: https://10.1.1.10:4343 (given that is the management IP).

You mention that the AP has a native VLAN... Does the instant.arubanetworks.com:443 only work on that native VLAN? Or since I set up an 'employee' type VLAN, can I access it via that? Because I did try via wifi and specified the port, but had no luck.

I'm assuming that I will just have to factory reset the AP at this point. Even if I could figure out the native VLAN ip for a wired connection, I would have to add, configure, and eventually delete the VLAN on the switch and in pfSense, which is a lot of extra work.

I currently have a personal management VLAN setup that I use when doing switch and pfSense configs. Can I change the IP and tag of the AP's native VLAN to match that of my home management network? Or what settings would I need to configure to avoid this issue next time and allow me GUI access?

I'm not 100% sure if the virtual controller is only accessible from the native (or management) VLAN. It is recommended to have the management VLAN untagged to the IAP and leave the management VLAN setting in the IAP WebUI unset. Client traffic should go on a tagged VLAN in general.

If you lost access, and don't have a console cable, it may be quickest to indeed reset the AP and start over.

I did end up resetting the AP and configured it so that I have access via my home management VLAN. However, I did so by configuring the management uplink to be tagged. So all is well.

Can I ask why using native/untagged VLAN for mangement is best practice as opposed to using a tagged VLAN?

There may be other reasons, but if the cluster communication no longer runs in the native VLAN, you may get into situations where some APs operate in a tagged VLAN others in the untagged VLAN. Leaving management in the untagged avoids all of that. Keep it simple. You can connect one VLAN as the native VLAN, just let that be the management VLAN.

I think you mentioned your IAP was converted to standalone, so it may be less relevant. And there are probably other reasons to come up with (can't think of one now), but in general if you can avoid management on a tagged VLAN, keep it on the native.