Wireless Access

Hey Gang,

I have been working on getting Fallback/Backup SSIDs working for some of our remote offices so that on the rare occasion they cannot reach the controller through the wilds of the Internet, they will still have wireless access out to the universe.

So I followed this configuration guide:

https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Remote_AP/Advanced_Configuration_O1.htm

and referenced this one too:

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-remote-AP-quot-BACKUP-quot-operation-mode-how-to/ta-p/178414

and have been MOSTLY successful. I am testing on my RAP109 at home (I have a firewall rule setup to block access to our public IP that I just turn on or off as needed) and when it cannot reach the controller back at the office the following happens:

1 - The backup SSID begins to broadcast

2 - I can connect to the backup SSID, no problem (for testing I am using an open SSID)

3 - I get the proper address from the RAP backup DHCP pool

BUT:

1 - I cannot get out to the universe (i.e. the Interwebs)

2 - I cannot ping the RAP IP address that is the gateway address that I get from the RAP backup DHCP (DNS and all that good stuff is configured and I DO have the role configures as spec'ed for the RAP to src nat its users)

Soooo.... any clues out there? Anyone experience this before? Any advice from the almighty guru's out there? Any idea if Emperor Palpatine really is coming back in the latest Star Wars movie?

Thanks is advance gang :-)

.

My guess off hand would be your aaa profile that you have setup for your backup SSID is incorrect.  Make sure you have set an intial role and that role has the ACLs to allow all and src-nat.

If you post your config here (remove the confendentail details), I can take a look and have a better idea of what the problem is.

I am more of a GUI user on the controllers, if you know what show commands you want to see just let me know and I'll run them and post'em (after sanitizing of course)

Im not sure what the commands I need are offhand as I dont really use the command line a lot either.  I do most stuff from the GUI but I can read the config and easily see if it is correct or not.

Log into the command line of your controller (use putty).  Before logging in, change the logging option of putty to "All session output" (it is on the left hand side of the putty configuration).  This will save your output to a text log.

Once you have a text copy of your config, do a find and look for "rap-operation backup".  This will give us the virtual-ap profile that you are using.  We need to find the aaa-profile for that virtual-ap profile and seach for that in the config.  

Do a search again and look for the aaa-profile that you found in the step beforehand.  You should find an "aaa profile "XXXXXXXX"" with roles tied to it.  Look for the "initial-role" in the aaa profile and copy that.

Do a search again and look for the initial-role that you found beforehand.  This will give you a list of ACLs tied to that role.  Search your config for each one of the ACLs to find what the rules are.

Here is my config for our backup RAP config:

vlan 188

ap system-profile "default"
rap-dhcp-server-vlan 188
rap-dhcp-server-id 192.168.188.1
rap-dhcp-default-router 192.168.188.1
rap-dhcp-dns-server 8.8.8.8
rap-dhcp-dns-server 4.2.2.2
rap-dhcp-pool-start 192.168.188.25
rap-dhcp-pool-end 192.168.188.254
rap-local-network-access
ap-console-password

(REMOVED)
bkup-passwords

(REMOVED)

wlan virtual-ap "XXXXX_Backup_Profile"
aaa-profile "XXXXX_External_Access"
ssid-profile "XXXXX_Backup_SSID_Profile"
vlan 188
forward-mode bridge
rap-operation backup

aaa profile "XXXXX_External_Access"
initial-role "XXXXX_External_Users"
authentication-dot1x "XXXXX_External_Auth_Profile"

user-role XXXXX_External_Users
access-list session global-sacl
access-list session apprf-XXXXX_External_Users-sacl
access-list session XXXXX_External_User_Policy

ip access-list session XXXXX_External_User_Policy
alias XXXXX_Backup_Network alias XXXXX_Backup_Network any permit
user any any route src-nat

That last part "user any any route src-nat" might be what you are missing but that is just a guess on my part.  If you can send me your config in the same way that I sent mine, then I can easily look at it and tell you want is wrong/missing.  Just start with searching for "rap-operation backup" from your config and copy the virtual-ap profile and search for every profile attached to it in the config and copy that info here.