We configured the second option, so the VC is the DHCP server for the internal (wifi) users. But until we didn't create the VLANs on the switch, thats assigned for the SSIDs (vlan 2 and 3), the connection didn't work, on the APs, only works from the current Master IAP.
We tried to set IP settings manually, but didn't work too, wasn't connection to the default gateway.
Now works, but need to be create the vlan 2 and 3 on the switch, and set tagged to the switchport where AP was connected (native vlan: 1, and the external DHCP is in vlan 1, who is set IP addresses to the APs after boot up)
Our config:
version 6.4.4.0-4.2.3
syslocation "xxxxxxxxxxxxxxxxxxxxxxxx"
virtual-controller-country HU
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name xxxxxx
virtual-controller-ip 172.16.0.100
terminal-access
rf-band all
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
allowed-ap xx:xx:xx:xx:xx:xx
arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
client-aware
scanning
ip dhcp pool
lease-time 59
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
extended-ssid
mgmt-user admin xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wlan access-rule AAAAA
index 0
rule 172.22.0.0 255.255.254.0 match any any any deny
rule any any match any any any permit
wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit
wlan access-rule wired-instant
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule BBBBB
index 3
rule 172.22.0.1 255.255.255.255 match tcp 4343 4343 deny
rule 172.22.20.0 255.255.254.0 match any any any deny
rule any any match any any any permit
wlan ssid-profile AAAAA
enable
index 0
type employee
essid AAAAA
wpa-passphrase uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 2
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
deny-inter-user-bridging
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11r
dot11k
dot11v
wlan ssid-profile BBBBB
enable
index 1
type employee
essid BBBBB
wpa-passphrase zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 3
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
deny-inter-user-bridging
enforce-dhcp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11r
dot11k
dot11v
auth-survivability cache-time-out 24
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
ip dhcp bbbb_scope
server-type Local
server-vlan 3
subnet 172.22.0.0
subnet-mask 255.255.254.0
lease-time 3540
dns-server 8.8.8.8
ip dhcp aaaaa_scope
server-type Local
server-vlan 2
subnet 172.22.20.0
subnet-mask 255.255.254.0
lease-time 3540
dns-server 8.8.8.8
wired-port-profile wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemptionw
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
airgroupservice airprint
disable
description AirPrint