Link Search Menu Expand Document
calendar_month 07-Mar-24

Aruba Branch Access Point (AP) Configuration

This section describes the creation and configuration of the AP group to support wireless service in the branches.

Table of contents
How to Create Switch Group

Create an AP Group

This group was created in the “Preparing to Deploy” section. Do not follow this process if the group was created previously.

Step 1 In the left navigation pane, in the Maintain section, select Organization.

Step 2 Select the Groups tile.

Step 3 Click the + (plus sign) to create a New Group.

Creating AP Group

Open the AP Group

This procedure locates and opens the AP group

Step 1 In the Global dropdown, search or select the group you created in the previous section.

Step 2 In the left navigation pane, in the Manage section, select Devices.

Step 3 Select the AP tab, then click the gear icon in the upper right corner.

Step 4 Click Cancel, then click Exit. AP Group Navigation

Configure the WPA3-Enterprise Wireless LAN

Use this procedure to configure a WPA3-Enterprise SSID.

WPA3-Enterprise enables authentication using passwords or certificates to identify users and devices. The wireless client authenticates against a RADIUS server using an EAP-TLS exchange, and the AP acts as a relay. Both the client and the RADIUS server use certificates to verify their identities.

Step 1 From the Access Point page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID.

Add SSID

Step 2 In the Create a New Network page on the General tab, expand Advance Settings.

Step 3 Configure SSID Name: EXAMPLE-CORP

Step 4 Click the + (plus sign) to expand Broadcast/Multicast.

  • Change the Broadcast filtering to All.
  • Enable DMO, and set the DMO Client Threshold to 40.

Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance.

Step 5 Click the + (plus sign) to expand Transmit Rates (Legacy Only).

  • Set 2.4 GHz to Min: 5 and Max: 54.
  • Set 5 GHz to Min: 18 and Max: 54.

Step 6 Click Next

General SSID Configuration

Configure SSID VLAN

On the VLANs tab, assign the following settings:

Step 1 Set the Traffic Forwarding Mode to Tunnel.

Step 2 Set the Primary Gateway Cluster: UI-BGW-01-AUTO site cluster. Leave the Secondary Gateway Cluster: None (default).

Step 3 Set the Client VLAN Assignment: Static (default).

Step 4 Select the Employee VLAN (101).

Step 5 Click Next.

Configuring VLAN

Note: When tunneling to the branch gateway, ensure the VLAN line protocol is up, by verifying that the VLAN is trunked or forced operational state up is configured on the branch gateway

Configure SSID Security Settings

WPA3 provides significant security improvements over WPA2 and should be used when possible. Consult relevant endpoint documentation to confirm support.

On the Security tab, assign the following settings:

Step 1 Security Level: Slide to Enterprise

Step 2 Key Management: WPA3 Enterprise CMM 128

Enabling dot1x

Step 3 On the Security tab, click the + (plus sign) next to Primary Server.

Step 4 In the New Server window, assign the following settings, then click OK.

  • Set Server Type to RADIUS.
  • Name the server cppm-01
  • Enter the RADIUS IP Address: 10.2.120.94
  • Enter the Shared Key: shared key

Adding Radius Server

Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 6 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 7 Enable Load Balancing by selecting the toggle.

Enabling Load Balancing

Note: Best practice is to deploy 2 RADIUS servers and enable load balancing.

Step 8 On the Security tab, expand Advanced Settings and scroll down.

Step 9 Click the + (plus sign) to expand Fast Roaming.

Step 10 Ensure that Opportunistic Key Caching is enabled.

Step 11 Enable 802.11K. Enable Fast Roaming

Configure Network Access Rules

Tunnel mode SSID restrictions are configured on the Gateway.

Step 1 On the Access tab, ensure that the Access Rules is set to Unrestricted.

Set Access

Step 2 On the Summary tab, review the settings and click Finish.

Configure the Visitor Wireless LAN

Use this procedure to configure a visitor SSID.

Step 1 On the Access Points page, select the WLANs tab. On the bottom left of the Wireless SSIDs table, click (+) Add SSID. Add SSID

Step 2 Configure SSID Name: EXAMPLE-GUEST

Step 3 On the Create a New Network page of the General tab, expand Advance Settings.

Step 4 Click the + (plus sign) sign to expand Broadcast/Multicast.

  • Change the Broadcast filtering to All.
  • Enable DMO, and set the DMO Client Threshold to 40.

Note: A DMO Client Threshold of 40 is the recommended initial value and should be adjusted based on actual performance results.

Step 5 Click the (+) sign to expand Transmit Rates (Legacy Only).

  • Set 2.4 GHz to Min: 5, Max: 54.
  • Set 5 GHz to Min: 18, Max: 54.

General SSID Configuration

Step 6 On the General tab, scroll down, and click the + (plus sign) to expand Time Range Profiles.

Step 7 In the middle of the section, click (+) New Time Range Profile. Time Range Profile

Step 8 In the New Profile window, assign the following settings, then click Save.

  • Configure the Name: Visitor Weekdays.
  • Ensure the Type is Periodic.
  • Set Repeat to Daily.
  • Set the Day Range: Monday - Friday (Weekdays) (This can be changed to fit other environments).
  • Set the Start Time Hours: 7, Minutes: 0.
  • Set the End Time Hours: 18, Minutes: 0.

Configuring Time profile

Step 9 In the Time Range Profiles section in the Status dropdown, find the newly created profile, and select Enabled. At the bottom of the page, click Next.

Enable Time profile

Configure VLANs

Step 1 On the VLANs tab, assign the following settings, then click Next.

  • Set the Traffic Forwarding Mode to Tunnel.
  • Table of contents
    • TOC

    </details>

  • VLAN ID: Guest(104).

Set tunneling

Note: When tunneling to the branch gateway, ensure that the VLAN line protocol is up by verifying the VLAN is trunked or forced operational state up is configured on the branch gateway

Configure Security

Step 1 On the Security tab, assign the following settings.

  • Set the Security Level to Visitors.
  • Captive Portal Type: External.

enable Captive portal

Step 2 In the Splash Page section, click the + (plus sign) next to Captive Portal Profile.

Step 3 In the External Captive Portal-New window, assign the following settings, then click OK.

  • Enter the Name: CPPM-Portal.
  • Set the Authentication Type: RADIUS Authentication.
  • Enter the Clearpass IP or Hostname: cppm.example.local.
  • Enter the captive portal URL: /guest/example_guest.php.
  • Verify the Port is 443.
  • Set the Redirect URL: http://www.arubanetworks.com.

Redirect configuration

Step 4 On the Security tab of the Splash Page section, click the dropdown next to Primary Server. Select the RADIUS server created in the WPA3 Enterprise section. Ensure THAT the Secondary server is selected as well. Enable Load Balancing. Configuring Radius Servers

Step 5 If the RADIUS server was not created in the WPA3 Section, follow the steps BELOW to configure the RADIUS Server.

Step 6 On the Security tab, click the + (plus sign) next to Primary Server.

Step 7 In the New Server window, assign the following settings, then click OK.

  • Set Server Type to RADIUS.
  • Name the server cppm-01.
  • Enter the RADIUS IP address: 10.2.120.94.
  • Enter the Shared Key: shared key.

Adding Radius Server

Note: It is important to record the Shared Key created above for use when configuring ClearPass Policy Manager in the procedure below.

Step 8 Repeat the two previous steps for the second CPPM server using the appropriate values.

Step 9 Enable Load Balancing by selecting the toggle, then click Next.

Enable Load balancing

Note: The Captive Portal Profile requires information from the CPPM server on the network. For detailed steps, see Appendix 1: How to Find ClearPass Details for the Visitor WLAN.

Configure Access For Guest SSID

In most cases, the visitor needs access only to DHCP and DNS services, and HTTP/HTTPS access to all destinations on the Internet. To prevent access to internal resources, add an exception network and mask covering the internal IP addresses to the HTTP and HTTPS allow rules.

Step 1 On the Access tab, move the slider to Network Based.

Step 2 Select the Allow any to all destinations rule, then click the pencil icon.

Step 3 In the Access Rules window, change the action from Allow to Deny, then click OK.

Step 4 On the Access tab, select (+) Add Rule.

Step 5 In the Access Rules window, assign the settings in the table below, then click OK.

Step 6 Repeat step 4 and 5 for each row in the table.

Caution: This step changes the default allow any to all destinations rule to a deny any to all destinations rule for visitor traffic. This line must always be the last entry in the Access Rules to prevent unauthorized access to internal network resources.

Example: Access rules for visitors

Rule TypeService typeService nameActionDestination
Access controlNetworkDHCPAllow10.2.120.98 (internal DHCP server)
Access controlNetworkDHCPAllow10.2.120.99 (internal DHCP server)
Access controlNetworkDNSAllow8.8.4.4 (well-known DNS server)
Access controlNetworkDNSAllow8.8.8.8 (well-known DNS server)
Access controlNetworkHTTPAllowTo all destinations, except internal
Access controlNetworkHTTPSAllowTo all destinations, except internal
Access controlNetworkAnyDenyTo all destinations

Configuring Access Control list

Step 7 Review the ACL, and select Next. Final ACL

Step 8 On the Summary tab, review the settings, and click Finish.

Summary Configuration

Configure the WLAN Access Points

After a branch is operational, the access points automatically create a virtual controller (VC) cluster and join the default group.

Assign the WLAN AP Group

Step 1 In the dropdown, verify that All Devices is selected.

Step 2 In the left navigation pane, in the Manage section, select Devices.

Step 3 On the Access Points tab, in the Access Points section, identify the MAC addresses of the AP and assign the AP to the UI-AP-BR01 group.

Step 4 In the left navigation pane, in the Maintain section, select Organization.

Step 5 Drag the virtual controller into the configured AP group. All access points in the site are automatically moved to the AP group.

moving AP's

Assign WLAN Access Points to Site

The following procedure assigns access points to a site. Creating sites was shown in the “preparing to Deploy” section of the guide.

Step 1 Go to Organization and select Site

Step 2 Select Unassigned devices and assign the APs to the correct site. Click Yes

Assigning AP's to site

Rename the Access Points

Step 1 Go to the UI-AP-BR01 group.

Step 2 Select Configuration.

Step 3 Select the AP, then click the pencil icon.

Step 4 Enter the new AP name. In this example, it is RS01-AP01. Click Save Settings.

Naming AP's


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.