So in part one I gave the back-story so now it’s onto getting this going. I’m using Aruba OS 5 on an Aruba 650 Controller with AP-61 access points. Your mileage may very.
If your running Aruba OS 5, you don’t need any RAP licenses with is great. Not so great if you bought them before OS 5 came out though. Good news is, they get turned into AP licenses when you upgrade to OS 5.
One more thing, since you will be deploying these access points in RAP mode, you won’t have some features. You won’t be able to tell how many people are on your system from that location so I wouldn’t go more than a few AP’s. You can’t blacklist someone. I don’t think you can do heat maps (I’ll have to try this though). Also, because we are setting these AP’s up in bridge mode, they will use the local DHCP server and if you have more than one AP, they need to be on the same Vlan. You will also have to take care of any extra security by using a local ACL on a switch or router.
Step One, log into your controller by going to https://aruba-master just to check that you have your DNS set up properly.
Step Two, navigate to Configuration –> Wireless –> AP Configuration.
Create a new AP Group by clicking on the New button. I’m giving it the name “RAP”. Click “Add” and then “Edit”.
Now, you will have to drill down to Wireless LAN –> Virtaul AP and create a new Virtual AP. Click the drop down and select –NEW – at the bottom of the list. Then, give it a name. I’m going to use “test-vap_prof” which is one I use for testing. After you click “Add”, you have to select the AAA profile and the SSID profile. You can use the same ones you used for your campus profile since you won’t change them. I’m going to use some test ones though. After you select the ones you want to use, click “Apply” in the lower right.
Now, drill down one level to the Virtual AP you just set up. The only setting you want to change is the “Forward mode” from “Tunnel” to “Bridge” and click “Apply”
Step Three, Set up the VPN. This is the step that kept throwing me off. Why do I need to set up a VPN connection between the AP and the controller if I’m on the local LAN? That’s just the way it is. If you don’t, the AP will never become a RAP on your AP Installation screen. This step is also what makes the controller push out the new RAP firmware to the AP. Navigate to Configuration –> Advanced Services –> VPN Services.
So, now that your on the VPN Services screen, You need to add an Address Pool. Just click “Add” under Address Pools. These addresses don’t have to be routable on your network. It’s probably better to pick ones that aren’t so you don’t have any confusion too.
Now you need to set up the IKE Secret. Under IKE Shared Secrets, click “Add”. You can keep the Subnet and Subnet Mask as quad zero (0.0.0.0) if you don’t have any other PSK’s. Enter the IKE and then confirm it.
Click “Apply” in the lower right.
Step Four, navigate to Configuration –> Security –> Authentication to setup an internal user. Click on Internal DB on the left. Now you will see a section titled “Users” You want to add one. Click “Add User”. It will auto generate a username and password for you, but you will probably want to change to something more meaningful.
You can leave the rest of the fields blank and click “Apply”.
Step Five. You are now ready to deploy the AP using the profile you created in step 2 and the VPN information you created in steps Three and Four. Navigate to Configuration –> Wireless –> AP Installation. Click the AP you wish to deploy as a remote AP and click “Provision”.
Now, in the AP Group filed, select from the dropdown, the AP group you set up in step Two.
In the Authentication Method section, select that you will be deploying a Remote AP by clicking the “Yes” radio button. When you do, it will allow you to fill in the IKE PSK and your user credentials you created in step Four. Make sure to uncheck the “Use Automatic Generation” box or you won’t be able to enter your username and password.
After you have that info entered, you can move on down to select the campus this AP will be deployed to (there is documentation on how to set these up in the user guide). Then, name it something meaningful, and click the “Apply and Reboot” button. The reboot will take a few minutes because that AP will get a new image pushed out to it.
If you have done things right, you should see your new AP’s deployed and in the correct group, and have an “R” in the flag section signifying that it is a “Remote Access Point”. I’ve blotted out the IP address for the remote AP, but it will be something in the range that you setup in Step Two.
Well I hope this helps someone out there who is struggling though getting some remote access points up with their Aruba gear. This is the first enterprise class wireless system I have worked with and for the most part, it is a pretty good system. There are ones out there that make it a whole lot easier to do some of these more advanced features though.