Wireless Access

I'll try and provide as much information as possible here:

Gear:

Juniper SRX220 Firewall

Juniper EX4200 Switch

Aruba 620 Controller

2 x AP105

1 x RAP2WG

My 620 controller has a single connection, a trunk, from Ethernet8 to the Juniper switch. That trunk allows vlans 991 and 993. The 620 has both of those VLANs defined and has an IP address on VLAN993, the default route for the controller is to another host on that VLAN993.

Onsite with the controller are two AP105s, which correctly locate and attach to the 620 controller, and the two VirtualAP profiles I've defined, one with PSK, the other with WPA2 and 802.1x auth are working properly.

Now... onto what's not working:

The RAP2WG access point connects. I've setup VPN services, whitelisted the RAP, setup a static 1 to 1 NAT for my controller's IP on VLAN993 to a public IP. I defined a new AP group for the RAP2WG, and then under virtual AP's I have added the same two virtual AP profiles I was using for the AP group for my AP105's. I definitely have no problem using tunnel mode here.

It does not appear that those SSID's are broadcasting on the RAP, and my attempts to set the wired port profiles mostly end in my own confusion. I'd like to transport that VLAN991 mentioned earlier to the E1 interface of the RAP.

Sorry if this seems all over the place.

#1 - Do the RAPs show up as "up" on the controller after you connect them?

Yeah, they show as up. Seems like the IPsec tunnel is connecting okay, I would think since I'm doing tunnel mode for each of my VAPs that I should be good to go? Everything I read seems to indicate the exceptions and extra configuration is needed for split-tunneling and bridge mode.

For now, make sure that those APs are in the same ap-group as your regular APs.

okay, that worked, i'll start comparing the differences between the two groups... I'd still like to provision the E1 port to put a user directly onto one of the VLANs at the controller

So this seems easier to manage from the CLI, the NEW ap group had an entry for authorization-profile default... maybe the wizard put that there. Seems like those wizards harm more than they do good.

Yes.  That Authorization profile is something different and can cause trouble if applied wrong.

If you just simply want to clone one AP-group to another, you would do this:

config t

ap-group <new ap-group name>

clone <old ap-group name>

To enable port e1, you would have to modify the wired port profile.  Make sure it is enabled; make sure the access mode VLAN is the one that you want your clients on, and then make sure it is trusted:

got it, now, the wizard put that authorization profile in there... how is that supposed to be used? I understood that the whitelisting process created the usernames/passwords for the remote APs or am I wrong?

Do not use the Wizard for what you are trying to accomplish.  If you provision an AP as a Remote AP it will automatically enter the AP into the whitelist, in the AP-Group that you set.

got it... and if i'm doing one-touch... then i whitelist myself manually and on connect it will auto-provision to the right group, correct?

Correct.

thank for all your help, I'm all set!