Aruba
OS version: 6.5.4.5
build 63925
This
guide will take you through step-by-step to configure Aruba Remote AP (RAP)
I will
use the following topology:
|
Device/Host
|
IP
Address
|
Description
|
|
Aruba
MC
|
192.168.99.1
|
Internal
address used as master IP address
|
|
Campus
AP
|
192.168.99.2
|
Internal
IP
|
|
FW
#1
|
192.168.99.254
|
Internal
IP
|
|
|
10.0.0.1
|
External
IP
|
|
FW
#2
|
172.16.0.254
|
Internal
IP
|
|
|
10.0.0.2
|
External
IP
|
|
Remote
AP
|
172.16.0.5
|
Internal
IP
|
The Aruba
MC and the remote AP are behind firewalls which using NAT when accessing the
internet.
1. Log in
into the MC
2. Go to
Configuration -> Advanced Services -> VPN Services -> IPSEC
3. Under
Address Pools click Add
4. Configure
address pool for remote AP's:
5. Click
Done
6. Under
NAT-T Check Enable NAT-T:
7. Scroll
down and click Apply
8. Next
go to Configuration -> Wireless -> AP Configuration and create new group
for remote AP's
9. In the
group (KS-RAP in this example) go to AP -> AP system profile and create new
profile for this group:
10. In this
profile make sure that the LMS IP address is the MC external IP:
11. Now go
to Configuration -> Wireless -> AP Installation -> Whitelist, click on
Remote AP and then click on Entries:
12. Insert
the MAC address of the remote AP to the MC localdb and choose the newly created
AP group (KS-RAP) and click Add:
13. Click
the Save Configuration on the MC to save all changes.
Next
let's configure the remote AP, connect to the RAP using console cable
1. Click
Enter to stop the autoboot process
2. Type
setenv remote_ap 1
3. Type
setenv master 10.0.0.1
4. Type
setenv serverip 10.0.0.1
5. Type
saveenv
6. Type
boot
NAT Traversal
Because
the firewalls are doing NAT we will have to use NAT traversal (UDP port 4500)
to allow traffic between the MC and the RAP.
On
firewall #1 we will need to configure static NAT with port forwarding and to
allow UDP port 4500 to the MC (outside to inside), while on FW #2 we will need
to configure policy to allow the remote AP access to UDP port 4500 outside.
Each
firewall/router configuration is different and it's not part of the scope of
this post.
Remote
AP Authentication
In the
following example I'm using certificate-based authentication where the RAP
using factory-based certificate and the MC authenticate the RAP MAC address using
the localdb. In this way we can configure pre-provision AP which never was
connected to the MC before.
We can
also use IPSec PSK but this requires the RAP to be connected to the MC as campus
AP prior to conversion to RAP
