Link Search Menu Expand Document
Table of contents

Configuring Wireless Access

The primary function of the wireless access layer is to provide network connectivity anywhere on the campus for wireless devices. Wireless access must be secure, available, fault tolerant, and reliable to meet the demands of today’s users.

To satisfy the requirements for wireless access in a variety of network designs, the Aruba ESP Campus supports two modes of switching traffic between wireless and wired networks. In bridged mode, the AP converts the 802.11 frame to an 802.3 Ethernet frame. In tunneled mode, the AP encapsulates the 802.11 frame in a GRE packet and tunnels the traffic to a Gateway device for decapsulation, additional inspection, and, if permitted, switching onto the correct VLAN.

An SSID is used to segment traffic between WLANs. A typical example for using multiple SSIDs is to separate employee traffic from visitor traffic. Another reason might be to separate IoT devices from other types of endpoints.

The Aruba ESP Campus for large campus topology uses bridged mode for a Visitor SSID and for an SSID using pre-shared key authentication as might be required for devices in a warehouse or healthcare setting. The same topology implements tunneled mode for an 802.1X authenticated SSID.

The following figure shows the wireless APs in the ESP Campus.

The following table shows the access VLANs for bridge-mode SSIDs.

Example: AP Access VLANs

VLAN NameVLAN ID
EMPLOYEE3
BLDG_MGMT4
CAMERA5
PRINTER6
VISITOR12
REJECT_AUTH13
CRITICAL_AUTH14
MGMT15

The following table shows the ClearPass Policy Managers for the RADIUS server configuration.

Example: RADIUS servers

HostnameIP AddressRole
CPPM-1.EXAMPLE.LOCAL10.2.120.94Publisher
CPPM-2.EXAMPLE.LOCAL10.2.120.95Subscriber

Configure the WPA3-Enterprise Wireless LAN

Use this procedure to configure a WPA3-Enterprise SSID.

WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices before they are granted access to the network. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.

Step 1 Navigate to Central and login using administrator credentials.

Step 2 On the Aruba Central Account Home page, launch the Network Operations app.

Step 3 In the filter drop-down list, select an AOS10 Group name, and then from the left menu, select Devices.

Step 4 In the upper right of the Access Points page, select Config.

Step 5 From the Access Points page, select the WLANs tab, and then on the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 6 In the Create a New Network page on the General tab, expand Advance Settings, and then click the + sign to expand Broadcast/Multicast.

Step 7 Click the + sign to expand Transmit Rates (Legacy Only), implement the following settings, and then click Next.

  • Name (SSID): EXAMPLE-8021X
  • Broadcast filtering: ALL
  • Dynamic Multicast Optimization (DMO): Slide to the right
  • DMO Client Threshold: 40
  • 2.4 GHz: Min: 5
  • 5 GHz: Min: 18

NOTES:
The SSID name should not include spaces or special characters for compatibility with all client devices.
A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.

Step 8 On the VLANs tab, implement the following settings, and then click Next.

  • Traffic Forwarding Mode: Tunnel
  • Primary Gateway Cluster: UI-WIRELESS:SERVICES-7210
  • Secondary Gateway Cluster: None (default)
  • Client VLAN Assignment: Static (default)
  • VLAN ID: EMPLOYEE (103)

NOTES:
The Primary Gateway Cluster and VLAN ID were created in the Configuring Gateway Devices section.
If they have not already been configured, create the named VLANs for the SSID in this section.

Step 9 On the Security tab, implement the following settings.

  • Security Level: Slide to Enterprise
  • Key Management: WPA3 Enterprise(CMM 128)
NOTE:
WPA3 provides significant security improvements over WPA2 and should be used whenever possible. Consult endpoint documentation to confirm support.

Step 10 On the Security tab, click the + sign next to Primary Server.

Step 11 In the New Server popup, implement the following settings, and then click OK.

  • Server Type: RADIUS
  • Name: CPPM-1
  • IP Address: 10.2.120.94
  • Shared Key: shared key
  • Retype Key: shared key

NOTE:
It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 12 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 13 On the Security tab, implement the following setting.

  • Load Balancing: Slide to the right

NOTE:
The best practice is to deploy 2 RADIUS servers and enable load balancing.

Step 14 On the Security tab, expand Advanced Settings, scroll down and click the + sign to expand Fast Roaming, implement the following settings, and then click Next.

  • Opportunistic Key Caching: Slide to the right
  • 802.11K: Slide to the right

Step 15 On the Access Tab, implement the following setting, and then click Next.

  • Access Rules: Slide to Unrestricted

NOTE:
The restrictions for this type of SSID are done in the Gateway.

Step 16 On the Summary tab, review the settings and select Finish.

Configure ClearPass for the WPA3-Enterprise Wireless LAN

Use this procedure to configure ClearPass Policy Manager for the WPA3-Enterprise SSID.

Step 1 Browse to the ClearPass Policy Manager server, and login with administrator credentials.

Step 2 From the left navigation menu, select Configuration, use the + sign to expand Network, and then select Devices.

Step 3 From the upper right of the Network Devices page, click +Add.

Step 4 On the Add Device page, implement the following settings, and then click Add.

  • Name: EXAMPLE.LOCAL 10
  • IP or Subnet Address: 10.0.0.0/8
  • Description: <subnet description>
  • Radius Shared Secret & Verify: RADIUS-SECRET
  • TACACS Shared Secret & Verify: RADIUS-SECRET
  • Vendor Name: Aruba (default)
  • Enable RADIUS Dynamic Authorization: checkmark
  • Port: 3799 (default)

Step 5 Repeat this procedure for additional ClearPass Policy Manager servers in the network.

Configure the Pre-Shared Key Wireless LAN

Use this procedure to configure a WPA3-Personal SSID with a pre-shared key.

WPA3-Personal allows for authentication using a pre-shared key on a device that does not support 802.1X authentication.

Step 1 From the Access Points page, select the WLANs tab, and then on the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 2 In the Create a New Network page on the General tab, expand Advance Settings, and then click the + sign to expand Broadcast/Multicast.

Step 3 Click the + sign to expand Transmit Rates (Legacy Only), implement the following settings, and then click Next.

  • Name (SSID): EXAMPLE-PSK
  • Broadcast filtering: ALL
  • Dynamic Multicast Optimization (DMO): Slide to the right
  • DMO Client Threshold: 40
  • 2.4 GHz: Min: 5
  • 5 GHz: Min: 18

Step 4 On the VLANs tab, implement the following settings, and then click Next:

  • Traffic Forwarding Mode: Bridge
  • Client VLAN Assignment: Static
  • VLAN ID: PRINTER(6)

Step 5 On the Security tab, implement the following settings, and then click Next:

  • Security Level: Slide to Personal
  • Key Management: WPA3 Personal
  • Passphrase: passphrase
  • Retype: passphrase

Step 6 On the Access Tab, implement the following setting, and then click Next.

  • Access Rules: Slide to Unrestricted

NOTE:
The restrictions for this type of SSID are done in the switch network.

Step 7 On the Summary tab, review the settings and select Finish.

Configure the Visitor Wireless LAN

Use this procedure to configure a visitor SSID.

Step 1 From the Access Points page, select the WLANs tab, and then on the bottom left of the Wireless SSIDs table, click + Add SSID.

Step 2 In the Create a New Network page on the General tab, expand Advance Settings, and then click the + sign to expand Broadcast/Multicast.

Step 3 Click the + sign to expand Transmit Rates (Legacy Only), and then implement the following settings.

  • Name (SSID): EXAMPLE-VISITOR
  • Broadcast filtering: ALL
  • Dynamic Multicast Optimization (DMO): Slide to the right
  • DMO Client Threshold: 40
  • 2.4 GHz: Min: 5
  • 5 GHz: Min: 18

Step 4 On the General tab, scroll down, click the + sign to expand Time Range Profiles, and then in the middle of the section, click + New Time Range Profile.

Step 5 In the New Profile popup, implement the following settings, and then click Save.

  • Name: Visitor Weekdays
  • Type: Periodic
  • Repeat: Daily
  • Day Range: Monday - Friday (Weekdays)
  • Start Time Hours: 7 Minutes: 0
  • End Time Hours: 18 Minutes: 0

Step 6 From the Time Range Profiles section in the Status drop-down list, find the newly created profile, select Enabled, and then at the bottom of the page, click Next.

Step 7 On the VLANs tab, implement the following settings, and then click Next.

  • Traffic Forwarding Mode: Bridge

  • Client VLAN Assignment: Static

  • VLAN ID: VISITOR(12)

Step 8 On the Security tab, implement the following settings.

  • Security Level: Slider to Captive Portal
  • Captive Portal Type: External

Step 9 In the Splash Page section, click the + sign next to Captive Portal Profile.

Step 10 In the External Captive Portal-New popup, implement the following settings, and then click OK.

  • Name: CPPM-Portal
  • Authentication Type: RADIUS Authentication
  • IP or Hostname: cppm.example.local
  • URL: /guest/example_guest.php
  • Port: 443
  • Redirect URL: http://www.arubanetworks.com

Step 11 On the Security tab in the Splash Page section, click the + sign next to Primary Server.

Step 12 In the New Server popup, implement the following settings, and then click OK.

  • Server Type: RADIUS
  • Name: CPPM-1
  • IP Address: 10.2.120.94
  • Shared Key: shared key
  • Retype Key: shared key

Step 13 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 14 On the Security tab in the Splash Page section, implement the following settings, and then click Next.

  • LOAD BALANCING: slide to the right
  • Encryption: slide to the left
  • Key Management: Enhanced Open

NOTE:
The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.

Step 15 On the Access tab, move the slider to Network Based, select the Allow any to all destinations rule, and then click the pencil icon.

Step 16 In the Access Rules popup, implement the following settings, and then click OK.

  • Action: Deny
CAUTION:
This step changes the default allow any to all destinations rule to a deny any to all destinations rule for visitor traffic. This line must always be the last entry in the Access Rules to prevent unauthorized access to internal network resources.

Step 17 On the Access tab, select +Add Rule.

In most cases, the visitor only needs access to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. Allow access to DHCP servers on the internal network and allow DNS to two well-known DNS servers. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.

Example: Access rules for visitors

Rule TypeService typeService nameActionDestination
Access controlNetworkDHCPAllow10.2.120.98 (internal DHCP server)
Access controlNetworkDHCPAllow10.2.120.99 (internal DHCP server)
Access controlNetworkDNSAllow8.8.4.4 (well-known DNS server)
Access controlNetworkDNSAllow8.8.8.8 (well-known DNS server)
Access controlNetworkHTTPAllowTo all destinations, except internal
Access controlNetworkHTTPSAllowTo all destinations, except internal
Access controlNetworkAnyDenyTo all destinations

Step 18 In the Access Rules popup, implement the following settings, and then click OK.

  • Rule Type: Access Control
  • Service: Network
  • Service: Dropdown: dhcp
  • Action: Allow
  • Destination: To a particular server
  • IP: 10.2.120.98
  • Options: none selected

NOTE:
When using the provided table, the easiest way to add the rules is from the bottom up to ensure they are in the correct order when finished.

Step 19 Repeat the previous two steps to add all the rules in the table.

Step 20 On the Access tab, click Next.

Step 21 On the Summary tab, review the settings, and select Finish.


Back to top

© Copyright 2021 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.