Security

Aruba 3400 controller
I need to setup a 2nd 'guest' network using the DHCP from my Aruba 3400. I currently have 3 SSIDs- each on their own VLAN, and all using the same AP Groups.

VLAN ID IP Address Net Mask Associated Ports Admin State Operation State Mode
1 192.168.100.2 255.255.255.0 Pc0-7 Enabled Down Regular
600 172.16.138.3 255.255.255.128 GE1/1 Enabled Up Regular
700 (Ext. DHCP) 192.168.254.104 255.255.255.0 GE1/2 Enabled Up Regular
701 172.16.165.2 255.255.255.0 GE1/0,GE1/3 Enabled Up Regular

I would like to create 'Guest2', and use the 3400's DHCP service to assign addresses.

This 'Guest2' will be isolated from other users and WLANS, and will be used by a limited number of devices.

Going through the WLAN wizard, I'm getting confused and have to cancel out, not knowing how to properly proceed without possibly affecting my existing WLANs.

- When at 'Specify WLAN for Group default', can I 'copy' the current 'Guest1' VLAN and modify it's config?

- Or do I start the new from scratch and create a VLAN for 'Guest2'?

- I also need to make sure the new WLANs SSID is hidden.

I'm kind of lost, and any advice would be greatly appreciated.

Thanks in advance!

I would personally recommend not using the WLAN wizard. To build a fully functional WLAN you need three things - a AAA profile, an SSID profile, and a containing profile known as a VAP or Virtual-AP profile. Each of these profiles have their own components, but for simplicity sake, let's say you need to do the following:

1. Create a new VLAN on the controller

2. Build the DHCP scope for that VLAN

3. Add that VLAN to a port

4. Build a AAA profile, can probably be the same as current guest

5. Build an SSID profile, this will be unique because the SSID will be different and hidden

6. Build a VAP profile, this will tie together the AAA, SSID, and define the VLAN.

7 Go into your AP group(s) and add the new VAP to the groups you want to broadcast it. 

If you want to be extra cautious about effecting your other guest network, I would at least copy the existing guest AAA profile and rename it, in case you want to make changes in the future.

Does that make sense? If you Google Aruba Networks Profile Diagram, you should be able to find a diagram showing how all profiles are tied together.

For reference, you can also log into CLI and do a "show run" and grab each component of your current Guest network to better understand how they all tie together.

Thanks, Michael- this is the first info I've been able to follow. I'll ry the steps you've mentioned, and let you know how it goes. Thank you kindly for your time and your help!

Be Well!

Happy to help, let us know how it works out!

Everything went well, it seemed. I followed your instructions, filling in the details by comparing the existing config, and reading up on the topics here. Cloned the appropriate profiles, etc., and I have the new WLAN\SSID, and it's providing IPs from the internal DHCP service on the 3400.

No internet access, however. Not sure where\how to check for the proper DNS to enter, or if I should be using NAT or a NAT pool (please excuse- this is my first foray into the config of this unit, besides the occassional update to AOS.)

How could  I go about checking the proper config for internet access for this newly created WLAN\VLAN\SSID?

Can you provide the output from "show wlan virtual-ap" for both the original guest SSID and the newly created SSID?

From there, we'll compare the VLAN configurations to sort out if/where NAT is being applied.

Sure, here's what I get with show wlan virtual-ap

Virtual AP profile List
-----------------------
Name                       References  Profile Status
----                       ----------  --------------
default                    0
Acme_Regional-vap-profile  1
Acme_Guest-vap-profile     1
Acme_RAP-vap_prof          1
Acme_Guest2nd-vap_prof     1
test-vap-profile           0
test-vap_prof              0
Acme_nursing-vap-profile   1

Total:8

Okay, so now we need "show wlan virtual-ap Acme_Guest-vap-profile" and "show wlan virtual-ap Acme_Guest2nd-vap_prof" to compare the two WLANs.

With the exception of the profile names, they seem to appear identical unless I'm overlooking something.

Virtual AP profile "ACME_Guest-vap-profile"
------------------------------------------
Parameter                                       Value
---------                                       -----
QinQ Outer VLAN                            0
Virtual AP enable                            Enabled
Allowed band                                  all
AAA Profile                                     ACME_GUEST-aaa-profile
802.11K Profile                               default
SSID Profile                                    ACME_GUEST-ssid-profile
VLAN                                              700
Forward mode                                tunnel
Deny time range                             N/A
Mobile IP                                       Enabled
HA Discovery on-association        Disabled
DoS Prevention                             Disabled
Station Blacklisting                        Enabled
Blacklist Time                                3600 sec
Dynamic Multicast Optimization (DMO)       Disabled
Dynamic Multicast Optimization (DMO)       Threshold  6
Authentication Failure Blacklist Time           3600 sec
Multi Association                               Disabled
Strict Compliance                              Disabled
VLAN Mobility                                   Disabled
Preserve Client VLAN                       Disabled
Remote-AP Operation                       standard
Drop Broadcast and Multicast           Enabled
Convert Broadcast ARP requests to unicast       Enabled
Band Steering                                   Disabled
Steering Mode                                   prefer-5ghz
VLAN POOL SIZE                             0
WMM Traffic Management Profile     N/A

Virtual AP profile "ACME_GUEST2nd-vap_prof"
---------------------------------------
Parameter                                       Value
---------                                       -----
QinQ Outer VLAN                           0
Virtual AP enable                            Enabled
Allowed band                                  all
AAA Profile                                     ACME_GUEST2nd-aaa_prof
802.11K Profile                               default
SSID Profile                                    ACME_GUEST2nd-ssid_prof
VLAN                                              759
Forward mode                                tunnel
Deny time range                             N/A
Mobile IP                                       Enabled
HA Discovery on-association        Disabled
DoS Prevention                             Disabled
Station Blacklisting                        Enabled
Blacklist Time                                3600 sec
Dynamic Multicast Optimization (DMO)            Disabled
Dynamic Multicast Optimization (DMO) Threshold  6
Authentication Failure Blacklist Time           3600 sec
Multi Association                               Disabled
Strict Compliance                             Disabled
VLAN Mobility                                   Disabled
Preserve Client VLAN                       Disabled
Remote-AP Operation                       standard
Drop Broadcast and Multicast           Enabled
Convert Broadcast ARP requests to unicast       Enabled
Band Steering                                   Disabled
Steering Mode                                   prefer-5ghz
VLAN POOL SIZE                             0
WMM Traffic Management Profile     N/A

Oops- And the VLANS.

Cool, now how about the output from "show interface vlan 759" and "show interface vlan 700"?

Thanks for you help, Charlie!  Here are the results.

(Aruba3400) #show interface vlan 759

VLAN759 is up line protocol is up
Hardware is CPU Interface, Interface address is 00:0B:86:61:AB:84 (bia 00:0B:86:61:AB:84)
Description: 802.1Q VLAN
Internet address is 192.168.20.1  255.255.255.0
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP disabled
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 442 day 15 hr 9 min 2 sec
link status last changed 0 day 0 hr 50 min 44 sec
Tunnels Configured on this Interface:
Tunnel 0

(Aruba3400) #show interface vlan 700

VLAN700 is up line protocol is up
Hardware is CPU Interface, Interface address is 00:0B:86:61:AB:84 (bia 00:0B:86:61:AB:84)
Description: 802.1Q VLAN
Internet address is 192.168.254.69  255.255.255.0
IP address is obtained through DHCP
DHCP data: server 192.168.254.254, router 192.168.254.254, domain UNKNOWN, DNS 8.8.8.8, lease time(in secs) 7200 state BOUND
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP disabled
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 442 day 15 hr 9 min 7 sec
link status last changed 442 day 15 hr 7 min 6 sec
Tunnels Configured on this Interface:
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,Tunnel 0,
Tunnel 0

Okay, so your existing guest network on VLAN 700 has a direct path out out the router at 192.168.254.254. I'm assuming that router is providing the NAT for your existing guests.

What is the egree that your new guest VLAN 759 should be using?

The existing guest on VLAN 700; This is using DHCP provided externally by a simple router from one of the local ISPs.
VLAN 759; I have the Aruba 3400's DHCP enabled for this new guest network.

I'm afraid I don't understand the question about what egress\egree the new 759 VLAN should be using. I'm probably familiar with the concept, perhaps just not in those terms? I apologize for my lack of knowledge.

and how do I tell if the router is providing NAT for the existing guest network?

Most likely, the router on VLAN 700 does not know that you have a new network with VLAN 759 and IP range 192.168.20.0/24. Have you configured the router with that information?

If both guest networks should use the same router located on VLAN 700, why not connect both networks to VLAN 700 and avoid using VLAN 759 completely?

---

@skylogic wrote:

and how do I tell if the router is providing NAT for the existing guest network?

---

Charlie, if I were to do so, would I then be able to implement authentication on the 2nd network, while leaving the auth open on the original guest?

Yes sir.

Because you set up two different profiles, you can change the authentication/security of each of the guest SSIDs independently of each other.

Virtual AP profile "ACME_Guest-vap-profile"
------------------------------------------
Parameter                                       Value
---------                                       -----
QinQ Outer VLAN                            0
Virtual AP enable                            Enabled
Allowed band                                  all
AAA Profile                                     ACME_GUEST-aaa-profile

{snip}
 
Virtual AP profile "ACME_GUEST2nd-vap_prof"
---------------------------------------
Parameter                                       Value
---------                                       -----
QinQ Outer VLAN                           0
Virtual AP enable                            Enabled
Allowed band                                  all
AAA Profile                                     ACME_GUEST2nd-aaa_prof

For the 2nd guest network, updating the AAA policy ACME_GUEST2nd-aaa_prof will only affect the 2nd guest network, since the original guest network is using a different profile.

Ahhh, Excellent! I'm going to try this today. I'll update when I have. Thanks again, Charlie!

Sorry for the extended delay in getting back; It works ! Thank you so very much for your assistance!

For VLAN 759, how should those guest users get to the Internet? Do they use the same router as the guest users on VLAN 700, or are they taking a different path to leave (egress) your network?

---

@skylogic wrote:

The existing guest on VLAN 700; This is using DHCP provided externally by a simple router from one of the local ISPs.
VLAN 759; I have the Aruba 3400's DHCP enabled for this new guest network.

I'm afraid I don't understand the question about what egress\egree the new 759 VLAN should be using. I'm probably familiar with the concept, perhaps just not in those terms? I apologize for my lack of knowledge.

---