BPDG_RemoteAP_ArubaOS-2.5_v1.0

8/23/2019 BPDG_RemoteAP_ArubaOS-2.5_v1.0

1/25

Remote AP ConfigurationConfiguring the Secure Remote AP

Abstract

This document describes the configuration of Secure Remote AP. The SecureRemote AP feature allows an Aruba AP to be configured as an IPSec client andset up a VPN connection over an insecure network to an Aruba mobilitycontroller. This configuration allows enterprises to provide secure, centrallymanaged APs to their remote or traveling employees.

The document demonstrates a typical configuration with complete step-by-stepinstructions for configuring:

Secure Remote AP

Recommended ReadingThe following pre-requisite documentation is highly recommended before readingthis document:

Best Practices: Performance

Best Practices: WLAN Base Configuration

ArubaOS-2.5_v1.0_20050328 ArubaOS 2.5 2005-2006 Aruba Networks

B es

t Pr

act ic

es

B es

tPr

actic

es


2/25

Best Practices: Remote AP Configuration

Table of Contents

REMOTE AP CONFIGURATION.......................................................................1

Design Summary........................................................................................3

Design Guidelines.......................................................................................5Installation Procedure...............................................................................7

Aruba Controller Design Configuration.......................................................8Aruba Remote AP Design Configuration...................................................20

Troubleshooting.......................................................................................23

2 2005-2006 Aruba Networks


3/25


Design Summary

Overview This section describes the secure remote AP what it is, and how itworks - both from an AP perspective as well as a mobility controller

perspective.

Features andfunctionality

The remote AP (RAP) includes the following features and functionality:

The RAP can connect over an insecure network (such as the

Internet) back to an Aruba controller via IPSec and provide corporateESSIDs to a remote office or traveling employee

All ESSIDs and corporate policies apply to the Remote AP

The RAP works behind NATing routers and firewalls with no

additional configuration

Topology The following network diagram shows the basic topology for this networkreference design:

Figure 1 Remote AP Configuration Reference Topology



4/25


Design Summary continued

Required software The following software modules are required to configure this capability:

ArubaOS (standard with all mobility controllers)

1. Note: this design requires ArubaOS version 2.5.0 orhigher

Policy Enforcement Firewall module (user roles)

Remote AP License (licensed per concurrent AP connection. A

controller licensed for 16 Remote APs can support up to 16simultaneously connected Remote APs). Note, a remote AP countstowards the total number of APs that an Aruba mobility controllermanages.

Required hardware At least one Aruba mobility controller is required to manage and controlthe Remote APs. The Remote AP feature is currently supported on thefollowing AP models:

AP-60

AP-61

AP-70

Scaling notes The number of active Remote APs supported on a system must be lessthan or equal to the number of Remote AP licenses installed on thecontroller they are connected to. The total number of APs connected toa controller, including Remote APs, must be less than or equal to thetotal number of APs the system can support.

Further reading Please see theAruba User Guide documentation for more informationon installation, features and advanced or alternate configuration.

This document is based on modifications made to the reference networkdescribed in the Best Practices: WLAN Base Configuration document.1

1 Estimated time to complete this configuration by following this document:



5/25


Design Guidelines

Overview This section describes the guidelines used to build the reference remoteAP network.

Networkconfiguration

The IP addressing for the Aruba controller, ESSIDs and firewall policiesare taken from the Best Practices: WLAN Base Configuration document.

A publicly reachable/routable IP address has been added to the

base controller configuration this address is placed at the DMZ toallow the remote APs to connect to it via the Internet.

VLAN 30 has been added to provide an internal address to the

Remote AP once it successfully connects to the controller

The Remote AP is configured to use DHCP to gain an IP address.

Figure 2 Remote AP Configuration IP Topology



6/25


Design Guidelines continued

Systemmanagement

The Remote AP is represented in the Aruba management interfacessimilarly to a standard AP in terms of ESSID configuration. In the GUI,

Remote APs will show up with yes in the IPSec field under the APwhereas standard APs will not.

In the CLI, Remote APs are not listed by the show user-table command.Rather, they are special cases and are only listed by the show user-table verbose command.

It is a best practice to use different location code designations forRemote APs for ease of management.

WLANs and SSIDs The WLAN information in this document is taken from the BestPractices: WLAN Base Configuration document.

Remote APs can be configured with any desired SSID desired, and caneither mimic corporate defaults or have unique field SSIDs.

Controller DMZ IPconfiguration

The Remote APs need an Aruba mobility controller with a publiclyroutable IP address they can access. Best practice is to put an interfaceof the Aruba controller in the DMZ or to forward traffic from the corporatefirewall to the controller. If this approach is used, the firewall must passNAT-T traffic to the appropriate Aruba controller address. NAT-T isdefined as UDP port 4500.

ARM/RFmanagement

It is a best practice to configure ARM on the remote AP baseconfiguration. This will allow the AP to adjust its channel and/or powerlevel accordingly when deployed in environments where neighboring

APs are present.

AP deployment Remote AP parameters such IPSec settings, username, and passwordmust be configured through the Aruba controller GUI or CLI. Remote

APs cannot be configured fully through a console cable. This is becausethe VPN settings on the RAP are stored in a protected format on the AP- not in clear text.



7/25


Installation Procedure

Overview This section describes the overall steps involved in configuring a networkaccording to the reference network design described in the previous

section. These steps assume a network that has already been builtaccording to the reference design outlined in the Best Practices: WLANBase Configuration document.

Procedure steps Here are the steps required and the order to perform them:

Master mobility controller configuration1 Configure public DMZ address on controller

2 Configure remote AP VLAN

3 Configure Aruba VPN server

4 Configure remote AP firewall policies

5 Configure remote AP role6 Configure remote AP authentication server

Configure Secure Remote APs7 Provision IPSEC settings on remote APs



8/25


Aruba Controller Design Configuration

Overview This section outlines the steps needed to configure the Aruba controllerto handle secure Remote APs.

The Remote AP configuration is built on the best practices WLAN baseconfiguration, and assumes that a base switch configuration alreadyexists. The use of the GUI is documented here, with CLI references asapplicable.

Configure controllerDMZ address

The Remote AP needs an address to connect to in order to establish aVPN tunnel to the mobility controller. In this example, an additionalVLAN and interface address is configured on the Aruba mobilitycontroller.

Here is the procedure to configure a new DMZ address on the controller:

1 On the top-level menu bar, click Configuration

2 Click the VLAN tab

3 Click the Add button

4 In the Add New VLAN screen, enter the following information:

VLAN ID 30

IP Address 216.31.249.230

Net Mask 255.255.255.0

5 Click the Apply button

6 On the top-level menu bar, click Save Configuration

Note: If it is not desirable to add a routable IP address to themobility controller, an external router or firewall address can be usedand the traffic forwarded to an existing interface on the controller.



9/25


Aruba Controller Design Configuration continued

DMZ VLAN portassignment

Now that the VLAN is configured, we can assign a port to the DMZVLAN. This is the port on the Aruba mobility controller that is physically

connected to the DMZ. In our reference design, this is port 2/25.


2 Click the General tab

3 Click the Port tab

4 In the Port Selection section, click the checkbox thatcorresponds to slot 2/port 25

5 In the Configure Selected Ports section, enter the followinginformation:

Enter VLAN 30

6 Click the Apply button to save the port settings7 On the top-level menu bar, click Save Configuration

Test & ValidateVerify the public address is indeed reachable from the untrusted network,i.e. the Internet. Ensure the controller correctly responds to a ping of thenew public IP address 216.31.249.230.

Configure RemoteAP VLAN

Next we need to create a VLAN for the Remote APs. This VLAN willfurnish internal IP addresses for the APs only. It will not provide IPaddresses for the wireless clients.

Here is the procedure to configure a new VLAN:


2 Click the VLAN tab


4 In the Add New VLAN screen, enter the following information:

VLAN ID 930

IP Address 172.16.30.1

Net Mask 255.255.255.0





10/25



Checkpoint! We now have an operational master Aruba controller that is configuredwith:

A DMZ VLAN and IP address

Remote AP VLAN



11/25



Configure VPNsettings

Since the secure Remote AP is a VPN client, the Aruba mobilitycontroller must have VPN server functionality configured to terminate the

secure Remote APs.

Here are the procedures to configure the VPN settings that will enablesecure Remote AP functionality.

Authenticationprotocols

First we need to configure the authentication protocols. In this referencedesign, we use L2TP and PAP. Here is the procedure:


2 On the left-hand option bar, underSecurity, click VPN Settings

3 Click the IPSec tab

4 Enter the following information:

Enable L2TP Click checkbox toenable

AuthenticationProtocols

PAP

Primary DNS Server 10.3.22.253

! Important: Ensure that the only authentication protocol selected forthe remote AP is PAP.

Configure IPinformation for APs

Next we need to configure the IP address pool and DNS information.This information will be used to give each remote AP a valid IP addressand DNS server. Here is the procedure:




4 Enter the following information:

Primary DNS Server 10.3.22.253

5 In the Address Pools section, click the Add button

6 In the Add Address Pool screen, enter the following information:

Pool Name RemoteAP-Pool

Start Address 172.16.30.102

End Address 172.16.30.25

7 Click the Done button to return to the VPN settings screen

2 These addresses correspond to the 16 remote APs our controller is licensed to manage. Adjustthe size of the address pool as needed for more or fewer remote AP licenses.



12/25



IKE shared secret Part of the IPSec process requires the VPN client (the remote AP) topresent a shared secret. Here is the procedure to configure an IKE

shared secret for the remote APs:




4 In the IKE Shared Secrets section, click the Add button

5 In the Add IKE Secret screen, enter the following information:

IKE Shared Secret secret

Verify IKE SharedSecret

secret


IKE policy Finally, an IKE policy governing these VPN clients must be defined. Hereis the procedure:




4 In the IKE Policies section, click the Add button

5 In the Add Policy screen, enter the following information:

Priority 1Encryption 3DES

Hash Algorithm SHA

Authentication PRE-SHARE

Diffie Hellman Group GROUP 2

Life Time Accept the default

Note: These settings reflect the default IKE policies set on thecontroller. The default settings are all that is needed to configure theSecure Remote AP feature.


Save the VPNconfiguration

7 Click the IPSEC tab

8 Click the Apply button to save the VPN settings




13/25




DMZ VLAN and IP address

Remote AP VLAN

Configured VPN server



14/25



Configuring firewallpolicies

Now that the VPN settings have been configured, it is time to look at thesecurity aspects of the remote APs. Once a remote AP has

authenticated via the VPN server and established an IPSec connection,we need to ensure the AP is only allowed to access those networkresources required for its operation. This will ensure that, even if the username, password and IKE shared secret of the remote AP is known, thisknowledge does not, of itself, allow unrestricted network access.

Remote AP networkaccess rights

We will do this by first configuring firewall policies for the remote APsthemselves. This policy is applied upon completion of IPSec and willgrant the following access:

AP control traffic via the Aruba PAPI protocol (UDP port 8211)

802.11 traffic inside GRE tunnels

L2TP traffic from the remote AP to the Aruba mobility controller

TFTP traffic from the remote AP to the Aruba mobility controller

FTP traffic from the remote AP to the Aruba mobility controller

Remote AP firewallpolicy

Here is the procedure to create the firewall policy called RemoteAP-Access:


2 On the left-hand option menu, underSecurity click Policies


4 In the Add New Policy screen, enter the following information:

Policy Name RemoteAP-Access

5 Under the Rulessection, click the Add button to enter a newrule

6 In the policy statement, create a rule that will allow L2TP traffic.Create the policy by entering the following information:

Source Any

Destination Any

Service svc-l2tp (udp 1701)

Action Permit

7 Click the Add button to add this rule to the policy

8 Click the Add button to create another rule



15/25



9 In the policy statement, create a rule that will allow GRE traffic.Create the policy by entering the following information:

Source Any

Destination Any

Service svc-gre (gre 0)

Action Permit



12 In the policy statement, create a rule that will allow PAPI controltraffic for the APs. Create the policy by entering the followinginformation:

Source Any

Destination Any

Service svc-papi (udp 8211)

Action Permit



15 In the policy statement, create a rule that will allow the APsTFTP access to the controller. Create the policy by entering thefollowing information:

Source Any

Destination AliasAlias mswitch

Service svc-tftp (udp 69)

Action Permit



18 In the policy statement, create a rule that will allow the APsTFTP access to the controller. Create the policy by entering thefollowing information:

Source Any

Destination Alias

Alias mswitchService svc-ftp (tcp 21)

Action Permit






16/25


Checkpoint! We now have an operational master Aruba controller that isconfigured with:


Remote AP VLAN


Remote AP firewall policy



17/25



The remote AP role Now that the firewall policy has been created, we can create a role forthe remote APs. When a remote AP connects to the Aruba mobility

controller, it will be placed into a role. This role contains informationabout the access rights and privileges of that device. It will contain thefirewall policy we just created as well.

Configuring theremote AP role

Here is the procedure to create the user role called RemoteAP:


2 On the left-hand option menu, underSecurity click Roles


4 In the Add Role screen, enter the following information:

Role Name RemoteAP

5 Under the Firewall Policiessection, click the Add button toassociate a policy with this role

6 Select the radio button next to Choose from Configured Policies

7 Select the following firewall policies from the drop-down box:

Firewall Policy Order

RemoteAP-Access 1

8 Click the Done button after each policy selection





Remote AP VLAN



Remote AP role



18/25



Remote APauthentication server

The last piece of configuration (outside of the APs themselves) is theauthentication server that will validate the user name and password for

each remote AP. This server can be of any type for example, a Radiusserver, Active Direction, and so on. In this reference design, we will usethe internal authentication server of the Aruba mobility controller.

Configure theremote APauthenticationserver

The internal authentication (AAA) server is enabled by default on eachmobility controller. Therefore, we only need to create the user name andpassword for each remote AP. These credentials will then by presentedby the remote AP to the VPN server when they attempt to establish anIPSec connection.

Here is the procedure to configure the VPN server on the Aruba mobilitycontroller to use the internal DB for authentication:


2 On the left-hand option menu, underSecurity clickAuthentication Methods

3 Click the VPN tab

4 In the VPN screen, enter the following information:

AuthenticationEnabled

Click the checkboxto enable

Default Role RemoteAP

5 Under the Authentication Servers section, click the Addbutton

6 Select the Internal server from the drop-down box

7 Click the Add button to use this server for VPN clientauthentication





19/25



Creating remote APaccounts

Here is the procedure to configure guest accounts on the internal DB:


2 On the left-hand option menu, underSecurity click AAAServers

3 Click the Internal DB tab

4 Under the Users section, click the Add User button

5 In the Add User screen, enter the following information:

User Name RAP01

Password GoAruba




Remote AP VLAN



Remote AP role

Configure the VPN AAA server

Create remote AP accounts



20/25


Aruba Remote AP Design Configuration

Overview The final step in Remote AP configuration is to put the VPN settings onthe AP itself. These settings will tell the remote AP that to use IPSec to

connect to the mobility controller. The settings provides the user name,password and IKE shared secret to use as part of establishing the IPSecconnection.

This process is similar to provisioning a standard Aruba AP as outlined inthe Best Practices: WLAN Base Configuration document, with theaddition of the IPSec information.

Provisioning theremote APs

Here is the procedure to provision a remote AP Aruba access point3:

1 Connect the Aruba AP either directly to the Aruba mobilitycontroller (if it has a line card with fast Ethernet ports) or to

another network device and ensure it comes up correctly4

2 On the top-level menu bar, click Maintenance

3 On the left-hand option menu, underWLAN click Program AP

4 Select the AP by clicking on the radio button next to it

5 Click the Provision button

6 In the AP Parameters section of the AP provisioning screen,enter the following information:

Building 250

Floor 1

Location 15

7 In the IPSec Parameters section of the AP provisioningscreen, enter the following information:

IKE PSK secret

Confirm IKE PSK secret

User Name RAP01

Password GoAruba

confirm Password GoAruba

Warning: The IKE PSK and policy used in this document is for illustrative purposes only; astronger PSK is recommended for production networks.

3 This procedure is supported for all Aruba AP models except the AP-52.4 For information on how to configure an Aruba AP please refer to the Best Practices: WLANBase Configuration document or theArubaUser Guide.5 It is good best practice to use a location ID for remote APs that does not overlap with a locationID that is used for permanently installed APs.



21/25


Aruba Remote AP Design Configuration continued

8 In the Master Discovery section of the AP provisioningscreen, enter the following information:

Host Switch IP Address 216.31.249.230

Master Switch IPAddress

216.31.249.230

9 In the IP Settings section of the AP provisioning screen, enterthe following information:

Obtain IP AddressUsing DHCP

Click the radiobutton enable

10 Click the Apply and Reboot button at the bottom of the screento load the new configuration to the AP

Test & ValidateVerify the AP comes back up correctly and is no longer shown as anunprovisioned AP. It should now show up in the Network Summaryscreen as a provisioned, IPSec AP.

Here is the procedure to validate the remote AP has been correctlyprovisioned:

1 Connect to the Aruba mobility controller

2 On the top-level menu bar, click Monitoring

3 In the Network Summary screen, check WLAN NetworkStatus and ensure at least one AP is listed under the IPSEC Upcolumn

If the remote AP is not listed, please follow the steps outlined in theTroubleshooting section of this document.



22/25


Aruba Remote AP Design Configuration continued



Remote AP VLAN



Remote AP role

Configure the VPN AAA server

Create remote AP accounts

Connected remote APs



23/25


Troubleshooting

Overview This section describes common configuration issues and troubleshootingtips for remote APs.

Common problems

The following is a list of common behaviors or symptoms that may occurwith remote AP configuration:

Remote AP does not connect does not show up underIPSEC Up in

the WLAN Network Status section of the management GUI

Remote AP does notconnect

A very common symptom is when the remote AP is configured, but isunable to establish an IPSec connection to the Aruba mobility controller.If the AP does not fully connect, the best way to troubleshoot thisproblem is to observe the boot messages of the AP. This is done byattaching to the serial port of the AP.

For more information on how to connect to the serial port of an ArubaAP, please see the Troubleshooting section of the Best Practices: WLANBase Configuration document or theAruba User Guide.

Observe the AP boot sequence, here is a typical example:

Aruba Wireless Networks 6x_70ArubaOS Version 2.4.1.17 (build 11469 / label #11469)Built by p4build@speedy on 2005-10-07 at 19:47:40 PDT (gcc version3.4.1)Calibrating delay loop... 179.20 BogoMIPS

Memory: 25568k/32768k available (1506k kernel code, 7200k reserved,2444k data,188k init, 0k highmem)physmap flash device: 400000 at 1fc00000AMD Flash AM29LV320D (Top) (User Locked)phys_mapped_flash: Found 1 x16 devices at 0x0 in 8-bit bankNET4: Linux TCP/IP 1.0 for NET4.0IP Protocols: ICMP, UDP, TCPbond0: Atheros AR2313: 00:0b:86:c2:7a:00, irq 4Getting an IP address...bond0: Configuring MAC for full duplex192.168.1.22 255.255.255.0 192.168.1.1Running ADP...Done. Master is 24.128.183.241

Setting up IPSec SA to 24.128.183.241...

Note how the SA portion of IPSec hangs and does not return a success.This can be caused by the following:

1 Missing remote AP licenses on the mobility controller

2 IKE policy mismatch

3 User name or password mismatch

4 Insufficient network access



24/25


Troubleshooting continued

AP configurationchecklist

Here is a checklist to use to troubleshoot these problems:

Issue Resolution

Missing remote APlicenses on controller

Check if RAP is licensed on the controller:

CLI

show license command

GUI


2 On the top-level menu bar, click Maintenance

3 On the left-hand option bar, click License Management

IKE policy mismatch Check the VPN settings on the controller:

GUI



6 On the left-hand option menu, underSecurity click VPNSettings

User name/passwordmismatch

Check or reset the user name and password on the Aruba AP andthe authentication server (Internal DB) account

Insufficient access Check the role for the remote APs (RemoteAP-Access). Make surethere are sufficient privileges for the APs to connect.

GUI



3 On the left-hand option menu, underSecurity clickAuthentication Methods

4 Check the default role for successful VPN clients

There are occasions when a Remote AP will take longer than 2-3minutes to reboot, depending on its current revision of softwareversus what the controller software revision is.



25/25


Troubleshooting continued

NoteThere are occasions when a Remote AP will take longer than 2-3minutes to reboot, depending on its current revision of software versuswhat the controller software revision is.

Date post:	08-Aug-2018
Category:	Documents
Upload:	samba-sidibe
View:	213 times
Download:	0 times

BPDG_RemoteAP_ArubaOS-2.5_v1.0

Documents