Controllerless Networks

I have a case where I need to setup two RAP3-WNs to work with (unsupported) 3G/4G modems, send them to world and have them connect to 650 Controller with VPN. I was thinking that I'd like to these work in IAP mode in case VPN cannot be established or somebody needs to tweak the modem settings locally. I'm new to IAP's and looking advices for VPN configuration. What I've done so far:

- Setup IAP WLAN to have Virtual Controller assigned IP's

- Configured VPN and whitelisted AP from controller. VPN status is UP

From Controller I can ping IP address of remote IAP, so I think VPN is OK. And I'm testing this now over wired internet, usb modem is not configured yet. I want to get VPN working before moving to USB. 

The thing I cannot figure out, how do I configure IAP clients have their own subnet behind IAP NAT, where I make split tunnel to corporate network? I tried use the default network which IAP makes and make route in VPN settings but traffic to that network is not routed to VPN tunnel at all.

Some progress, I realized that I need to configure DHCP settings even if the IAP is offering something by default. So I created local DHCP and assigned that VLAN to SSID. Now I can ping controller-ip which is in destination subnet where I want to go. But still no access to other devices in that target subnet. 

What version are you running on the controller side?

Can you see the assigned subnet in the controller in "show iap table"?

(Aruba650) #show iap table

Branch Key                                             Index     Status     Inner IP        MAC Address             Subnet
----------                                             -----     ------     --------        -----------             ------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     1         UP         172.17.0.11     00:0b:86:xx:xx:xx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     0         DOWN       0.0.0.0         00:0b:86:xx:xx:xx

(Aruba650) #

For some reason same AP is listed two times. Subnet column is empty. 

Controller firmware is 6.2.1.3

Ah, changin VC DHCP to distributed L3, a bit better:

(Aruba650) #show iap table

Branch Key                                             Index     Status     Inne                                                         r IP        MAC Address             Subnet
----------                                             -----     ------     ----                                                         ----        -----------             ------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx     1         UP         172.                                                         17.0.13     00:0b:86:xx:xx:xx       172.16.1.64/27

And traffic is still blocked, but it seems that my client ip behind IAP is in logon role. But where I control that behaviour?

Create a VPN authentication profile for IAP and select the correct role in that profile (default will be default-vpn-role which will allow all traffic):

aaa authentication vpn "default-iap"

!

(Aruba650) #aaa authentication ?
dot1x                   Show 802.1X Authentication Configuration
stateful-dot1x          Stateful 802.1X Authentication

(Aruba650) #aaa authentication vpn
                               ^
% Invalid input detected at '^' marker.

(Aruba650) #

 Am I missing something?

EDIT: Yes, configure terminal.Shouldn't wake up today..

I got AP and PEF licenses, but do I also need PEF/VPN aka VIA/VPN licenses on controller?

AP+PEF is absolutely sufficient. PEFV(VIA) gives you additional role assignment options.

HTH

MK

I checked on two different A650 Controllers one running 6.2.1.3 and another running 6.3.1.2. Neither has option to set default profile for VPN authentication, not in cli, not in gui. Only thing I can change is server-group. I tried to play with rules in server-group but that didn't change things. 

Hi, 

In the ArubaOS 6.3.x documentation there is no information about support for Instant VPN on MC6x0 (table 215 p.881). I've tested that on 3200XM and it works perfectly. It is possible that Instant VPN is not supported on 650. To be sure, please open the ticket. 

Many regards, 

Marek Krauze

ACMX #295

Yes, local Aruba rep confirmed that 3200XM is minimum requirement. Somedoby on Aruba should add to the documentation with big red letters that 600 series is not supported so that theres no confusion. 

I'll convert these just into regular RAPs. 

Hi, 

We can figure it out from 6.2 when AppRF was not fully supported at 600 series. 

Marek Krauze

ACMX #295

--
Something cool, helpful or interesting in my post - click the Kudos Star. 
Helped to solve your problem - Click "Accept as Solution".