Wireless Access

Good morning experts,

I have a customer that wants to change some of its RAPs to a new AP group. I will create the new AP group and provision the corresponding RAPs with the new AP group under Configuration > WIRELESS > AP Installation. After selecting the APs and click on Provision the Provisioning tab appears and many parameters must be provided. Are there any way, page or commands to know the current parameters of its RAPs in order to fill in all the sections of the Provisioning tab (AP Parameters, AP Installation Mode, Antenna Parameters, Authentication Method, etc.)? Thank you very much for you help.

Regards,

Julián

Hey, take a look at the below, this should answer most of your questions.

http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/AP_Config/Provisioning_Installed_A.htm

Generally you need to understand how the solution was deployed and speak to the relevant teams in order to fill in certain parameters.

Usually the rest as self explanatory. For example an Indoor AP (such as an AP205) would be an indoor AP.

 If you have any existing RAP's in production, you can always highlight a RAP and choose provision to copy some of the settings. 

Hi zailon0,

Yes, all the RAPs I want to change the AP group to are in production. I tried to select a RAP and click on provision and all the settings appear so I can copy them before changing the AP group. Many thanks!

Regards,

Julián

Hi zailon0,

Two more little questions about this:

1. I saw my customer uses Certificates as the RAP Authentication method

but it has Control Plane Security is disabled. Does it make sense to you?

2. When changing a RAP to the new AP group, will the inner IP be changed or remained the same?

Regards,

Julián

Hey, I'll try and  answer these the best I can :)

1) I'm not sure to be honest, possibly a specific customer need? It is standard practice to use Control Plane Security for security reasons. My personal choice would be to have both CPSeC and use Certificates for RAP's to establish their IPSEC tunnel.

2) It is possible the inner IP will change. The Address Pool (or Inner IP as per the AP Database) is only used by an AP to Controller for communication. So in theory this can usually be a non routeable IP range such as 1.1.1.x

---

@fjulianom@hotmail.com wrote:

Hi zailon0,

 

Two more little questions about this:

 

1. I saw my customer uses Certificates as the RAP Authentication method

 

but it has Control Plane Security is disabled. Does it make sense to you?

 

2. When changing a RAP to the new AP group, will the inner IP be changed or remained the same?

 

Regards,

Julián

---

1.  RAPs always use IPSEC for the transport for all traffic to and from the RAP so that it can traverse NAT boundaries like firewalls.  RAPs never use control plane security; only Campus APs use control plane security to protect the management traffic between the controller and AP.

2. The inner AP will change, yes.

Hi Colin,

I didn't know this before, but then I have just read in some Aruba documentation that CPSec is only intended for CAPs:

Control plane security feature has been designed to support campus AP’s only, It is not intended for use with Remote AP’s. Please do not attempt to use cpsec with any RAP devices.

So let me understand this:

1. Do RAPs never use control plane security because they always use IPSEC for the VPN tunnel?

2. Then is CPSec is disabled, what's the point of having a RAP certificate. Will the controller check the RAP certificate with CPSec disabled?

3. On the other hand, is there a problem if the inner IP is changed? I don't think so, please confirm.

Many thanks for your replies, always learning...

Regards,

Julián 

1.  Never

2.  Both cpsec and ipsec form an ipsec tunnel.  Both use certificates to authenticate the endpoints on that tunnel.  The controller already checks a certificate for both.  The main difference between ipsec and cpsec is that cpsec only encrypts the Control Plane or management traffic between the AP and the controller.  The user traffic is still sent via GRE in cpsec.  With a RAP, everything is encapsulated in ipsec.

3.  There is no problem.

Hi Colin,

OK, question 2 and 3 understood. For question 1, now I know RAPs never should use CPSec, but I asked for the reason and I think is because they already always use IPSEC for the VPN tunnel. If CPSec is used, a double encryption would happen, once for the control plane (by CPSec) and then again for all the traffic including control plane (because is RAP), am I right?

And with all this together, a new question comes into my mind:

4. What if an organization have both CAPs and RAPs? As far as I know CPSec is enabled/disabled globally and not per AP...

Regards,

Julián

Hi Colin,

1.  RAPs always use IPSEC for the transport for all traffic to and from the RAP so that it can traverse NAT boundaries like firewalls.  RAPs never use control plane security; only Campus APs use control plane security to protect the management traffic between the controller and AP.

Then, what if an organization have both CAPs and RAPs? As far as I know CPSec is enabled/disabled globally and not per AP...

Regards,

Julián

Regardless of whether CPSEC is enabled or not, RAPS use IPSEC and NOT CPSEC.

OK, many thanks!

Regards,

Julián