Wired Intelligent Edge

last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Tunneled-Node for Campus AP

This thread has been viewed 1 times

  • 1.  Tunneled-Node for Campus AP

    Posted Jan 31, 2020 08:19 AM

    Hi all. 

    I have searched for a long time but haven't found anything so I write my own question now. 

     

    We have deployed Tunneled-Node (Port-Based) on our 2920 and 2930 access switches. The tunnels terminate to a pair of Mobility Devices and the authentication goes through a pair of Clearpass servers. 

     

    Everything works perfect for wired clients. The switch port, connecting to a computer for example, sends an radius request to the Clearpass Cluster and then evaluates through the service section and return a Role to the Mobility Master that sends out the role to the switch port. This works perfectly!

     

    Now to the access points (Campus AP). 

    Since the access points is "smart" it creates a seperate GRE-tunnel to the Mobility Device per connected wireless client, but I want the access point itself to authenticate but not create a tunnel for itself. If it does, the AP itself creates a tunnel and then tunnel the wireless clients within that tunnel so I get the "Tunnel-in-Tunnel" scenario, which is wrong in my opinion. 

     

    If I make a service in clearpass which authenticate the AP and return the user role "Aruba-AP" (Which essentially place the AP in a separate VLAN) the AP connects and work as it should, but a tunnel is now created...

    (MD01) *#show tunneled-node state | include 10.208.0.102
10.208.0.102  9c:b6:54:c8:b0:4b  1/39  complete  10    1947    1

    I have read an article about a function called "Port-Mode" that authenticate the first client to the port and then automatically passes the rest of the connected devices through, but I think that is what I would use if I have an Instant AP, not a Campus AP. 

     

    For ease of use for our technicians in the field, we want every access port to have tunneled-node enabled and not exclude access port for our Campus APs. 

     

    Is there a solution out there for this?



  • 2.  RE: Tunneled-Node for Campus AP
    Best Answer

    Posted Feb 06, 2020 11:55 AM

    You have two options:

    1. Enable User Based Tunneling as you mention; selectively deciding what to tunnel and not (Everything but Campus APs)
    2. Enable device profiling for Aruba APs on the switch.   This will allow you to instruct the switch not to tunnel Aruba APs that are profiled as such

    Create your Device Profile

     

    device-profile name Aruba_APs
      no allow-tunneled-node
      exit

    Associate the aruba-ap device type to your profile and enable it

     

    device-profile type aruba-ap
      associate Aruba_APs
      enable
      exit

    You can also consider other device-profile settings, such as poe-priority, max power, vlan settings, etc:

     

    https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/16-01/webhelp/content/ch10.html

     

     



  • 3.  RE: Tunneled-Node for Campus AP

    Posted Feb 12, 2020 08:26 AM

    This worked like a charm! Thank you!