Wireless Access

Would appreciate if anyone can shed some light on the exact traffic flow from staging for example an 303H via Activate to deployment at end user.

I would like to understand the entire process from factory default i.e.

1. AP boots up with factory default image

2. Obtains IP address from DHCP

3. Discovery process for finding a controller

4. AP begins Instant Virtual Controller Discovery

5. AP begins Airwave discovery

6. AP Connects to Aruba Activate

At this point Activate recognises the AP via its MAC address and provides the mobility controller IP and AP obtains the config.

The RAP gets shipped to the client and this is where I would like confirmation.

1. Customer powers up the RAP connected to their home broadband.

2. RAP obtains 192.168.1.xx Class C address from home router (Does the RAP again contact Activate or does it contact mobility controller direct based on existing "staging" config?

3. Builds IPSec tunnel to mobility controller based on existing config

4. Mobility controller returns RAP Pool IP address i.e. 1.1.1.15 

5. Clearpass applies roles, vlans etc for RAP.

6. When connecting a laptop now to RAP, does it get a 192.168.1.xx IP address or RAP inner pool address? When does CPPM apply the VLAN, role etc?

7. As above but using PoE VoIP phone? What IP address is assigned first i.e. 192.168.1.xx or RAP inner pool before CPPM assigns Voice VLAN, roles etc.

Hi Leroy,

I have deployment pretty much the same like yours, only in my network there is no ClearPass. The general process you explain is correct, just a couple of things:

6. AP Connects to Aruba Activate

7. At this point Activate recognises the AP via its MAC address and provides the mobility controller IP and AP obtains the config.

8. The AP builds IPSec tunnel to mobility controller IP and downloads controller image (if different). The AP reboots to load the new image, builds again IPSec tunnel to mobility controller and downloads configuration based on its AP group.

The RAP gets shipped to the client and this is where I would like confirmation.

1. Customer powers up the RAP connected to their home broadband.

2. RAP obtains 192.168.1.xx Class C address from home router (Does the RAP again contact Activate or does it contact mobility controller direct based on existing "staging" config?

3. Builds IPSec tunnel to mobility controller based on existing config

4. Mobility controller returns RAP Pool IP address i.e. 1.1.1.15 

5. Clearpass applies roles, vlans etc for RAP.

6. When connecting a laptop now to RAP, does it get a 192.168.1.xx IP address or RAP inner pool address? When does CPPM apply the VLAN, role etc?

• The laptop gets IP from home router subnet, from DHCP corporate server, or from DHCP pool configured on controller. This depends on the controller's configuration (tunnel, split-tunnel, etc.), DHCP server configured on controller or not, etc. The laptop never gets IP from RAP inner pool address.

7. As above but using PoE VoIP phone? What IP address is assigned first i.e. 192.168.1.xx or RAP inner pool before CPPM assigns Voice VLAN, roles etc.

• The same as before.

Regards,

Julián

Below is a simplified version of how it goes:

1.  Instant/Unified AP boots up and gets an ip address from the local LAN.

2.  Before any type of local discovery like ADP/DNS or dhcp options occur, the AP attempts to reach the activate server.  This also explains why if someone purchases an IAP on ebay and there is an activate rule, or the IAP is part of central, even factory resetting the AP means it will always point back to activate for instructions.

3.  If there is a rule in activate for that device, that rule is processed, whether it be to convert to RAP, with a controller public ip address or point to airwave, the AP is redirected to the device specified.  Accordingly, if that IAP has been added to central, the device opens a connection to central and follows the rules specified in central.

4.  If the activate instruction is to convert to RAP, the Instant AP will attempt to convert to a RAP by contacting the controller's ip address and attempting to convert.  The MD MUST already have the mac address of that IAP whitelisted for the Instant AP to connect and successfully convert to a RAP.  The whitelist entries for RAPs (mac address, ap-name and ap-group) can be configured solely in the MM/MD infrastructure, or the mac address, ap-name and ap-group can be contained in clearpass and the MD will just point to clearpass for whitelist authentication.  A Third option is where the names, mac addresses and ap-groups of devices are maintained in activate and ClearPass synchronizes those periodically, and the MD still "authenticates" IAPs that want to convert using the synchronized whitelist.

5.  The IAP connects to the MD and obtains an "inner" ip address that does not have to be routable.  It then upgrades its firmware and converts to a RAP.

5.  The APs name and ap-group becomes whatever it is listed as in the RAP whitelist, whether the whitelist is in the MM, in ClearPass or ClearPass synchronized in activate.

6.  The IAP reboots, is converted to a RAP and reconnects to the MD.  Its name would be whatever it is in the whitelist, along with the ap-group specified.

This is the way the flow is supposed to occur:

1.  Instant APs are purchased by a customer

2.  Aruba knows which customer you are and the mac address of the Instant AP is added to activate automatically.

3.  Out the box, the IAP is in a folder on activate with no rules, so booting it up checks activate, but skips activate and does regular local discovery.

4.  The customer admin knows that an IAP will be shipped, so he searches for the mac address in activate, names the AP and puts it into the correct AP group.  He also puts the AP in a folder that has a "convert to RAP" rule.

5.  ClearPass periodically synchronizes the whitelist from activate along with the names and ap-groups of APs.

6.  The Instant AP is shipped to end-user who plugs it in.

7.  The instant AP contacts activate and activate sees that the folder the IAP is in has a convert-to-RAP rule

8.  The Instant AP goes to the ip address of the MD it receives from the activate rule.

9.  The MD looks up the IAPs mac address in ClearPass and allows it to connect.  The firmware is upgraded, and the AP is named and put into the AP-group, based on what is in ClearPass

10.  The AP reboots and becomes a RAP.

Theoretically, you can have all of your helpdesk manage all of your Instant APs that you want converted into RAPs in Activate.  If there is any problem with a RAP at someone's house, the helpdesk can walk the end-user through, physical connections, the factory reset procedure and the RAP will obtain all of its correct information all over again.

I hope any of that helps.