Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-1
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-2
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The functionality between the RAP5 vs the Regular Campus AP is virtually nil. The RAP5 is manufactured as Certificate RAPs. The other APs are manufactured as Campus APs but may be re-configured as a RAP AP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-3
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
An administrator may want to pre-stage the RAPs even if Zero-Touch configuration is available. The administrator may decide to give out ready to go RAPs. These types of deployment would start with connecting the RAP5 to the controller. On the other hand IT can send out unprovisioned RAPs to the end user. The end user would then have to do minimal config work to bring the AP on-line. 1) Connect Eth0 to their home router 2) connect their laptop, wired, to Eth1 on the RAP. The RAP will provide DHCP to the wired client. Launch a browser and it will be redirected to an internal Captive Portal page that asks the user to input the IP address for the controller that the RAP will terminate on (IT will have to tell them) then hit Continue. So long as the RAP configurations on the controller are correct –AND- IT has added the RAPs MAC to the Whitelist the RAP will connect.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-4
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-5
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
In the RAP wizard the following configuration can be modified for the Remote AP: •
AP Group
• Internal DHCP on RAP • Corporate DNS • Wired ports
• Wired forwarding modes • Port setting • Access Method • WLAN for group • Forwarding modes • VLANs for WLAN • Internal or Guest • Encryption used
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-6
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-7
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The RAP wizard allows for corporate DNS servers to be queried for specific domain names which is necessary for internal domain queries when using split tunnel mode.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-8
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The next two screens of the RAP wizard allow wired ports to be configured and forwarding modes selected by port.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-9
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
An administrator may want to pre-stage the RAPs even though no touch configuration is available. The administrator may decide to give out ready to go RAPs. These types of deployment would start with connecting the RAP5s to the controller.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-10
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-11
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-12
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The controller contains separate whitelist databases for Campus and Remote APs.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-13
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The VPN address pool must be defined. This is the subnet for the VPN tunnel.
Once the remote AP is authenticated for the VPN and established a IPsec connection, it is assigned a role. This role is a temporary role assigned to the AP until it completes the bootstrap process after which it inherits the ap-role. The appropriate ACLs need to be enabled to permit traffic from the controller to the AP and back to facilitate the bootstrap process. To configure the user role, you first create a policy that permits the following traffic: AP control traffic via the Aruba PAPI protocol GRE tunnel traffic TFTP traffic from the remote AP to the controller FTP traffic from the remote AP to the controller
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-14
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-15
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-16
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-17
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-18
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Regardless of the type of AP RAP, CAP, Mesh..
The AP group determines the type of SSID that will be broadcasted by the AP.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-19
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
It is necessary to specify the uplink bandwidth before configuring traffic classes because if the RAP uplink interface transmits at a higher rate than the internet uplink capacity the internet router will drop packets unpredictably. Therefore, even though the RAP transmits classified traffic honoring the reservations configured, the receiving end will see a distortion in results. If ethernet is higher priority than cellular, the feature disables by itself if the uplink is via cellular. This means that the classification/reservation will no longer be done on the uplink. If ethernet becomes active again, the feature turns on by itself.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-20
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
(Master) (AP system profile “rap") #rap-bw-? rap-bw-resv-1
Configure class 1 of RAP bw reservation
rap-bw-resv-2 rap-bw-resv-3
Configure class 2 of RAP bw reservation Configure class 3 of RAP bw reservation
rap-bw-total
Set the RAP uplink internet bandwidth in kilobits per second
(Master) (AP system profile “rap") #rap-bw-total 1024 (Master) (AP system profile “rap") #rap-bw-resv-1 acl voice 512 priority 1
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-21
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The RAP IPSEC tunnel is set up in 2 phases: Phase 1:
A secured channel between RAP and the controller is established for phase 2 negotiations to take place. Two modes: main mode and aggressive mode. Phase 2: Completes the IPSEC connection. Security Associations (SAs) are negotiated to determine the encryption and authentication algorithms to be used when sending user data. The SA is identified by a unique SPI, which is also negotiated during Phase 2. Two encapsulation modes: Tunnel and Transport. Phase 2 is established in Quick mode ( 3 messages).
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-22
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-23
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The RAP whitelist validates the remote AP when it is first activated and identifies the AP group to which it should be assigned.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-24
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
Recommendation: Ensure the temporary role contains at least the following rules
(MM800) #show ip access-list “VPN-role” ip access-list session remoteap-acl remoteap-acl -----------Priority Source Destination Service Action TimeRange Log Expired Queue -------- ------ ----------- ------- ------ --------- --- ------- ----1 any any svc-syslog permit Low 2 any any svc-ntp permit Low 3 any any svc-papi permit Low 4 any mswitch svc-tftp permit Low 5 any mswitch svc-ftp permit Low 6 any any svc-gre permit Low
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-25
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
If the client is having difficulty, he/she has the capability to run diagnostics
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-26
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
The client has the capability to run some diagnostics. The client also has the capability to save a support file. By clicking on the “Save support file” a file will be saved on the clients laptop that can be sent to support for analysis.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-27
Aruba Bootcamp – Remote AP – ZeroTouch
y l n O l Use
a n r e t In
y l n O e s U l a n r e t In
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
12-28